Thanks Alexander. Reviewing the proxy requirements now. On Tue, Nov 25, 2014 at 3:32 PM, Alexander Bokovoy <[email protected]> wrote:
> On Tue, 25 Nov 2014, Dimitar Georgievski wrote: > >> My case for HTTP load balancing is little different. Ideally I would like >> to use a real load balancer (A10 in this case) for balancing HTTP and >> HTTPS >> services. >> Would that be possible? >> >> Based on the info in this thread, and Apache configuration for IPA >> (ipa.conf) the following steps were performed >> - Added host for sso.example.com >> - Added service for HTTP/sso.example.com >> - added new entry for HTTP/sso.example.com to /etc/httpd/conf/ipa.keytab. >> This keytab is listed in the conf.d/ipa.conf under the Location '/ipa' >> groups of directives. >> ipa-getkeytab -s `hostname` -p HTTP/sso.example.com -k >> /etc/httpd/conf/ipa.keytab >> >> - modifed the conf.d/ipa-rewrite.conf and ipa-pki-proxy.conf to redirect >> requests to sso.example.com >> >> The login page loads but unfortunately authentication is failing with HTTP >> 401 (unauthorized) response from the server. I wonder what I am doing >> wrong. >> > Can you show your /var/log/krb5kdc.log, lines concerning > HTTP/sso.example.com principal at the time you are trying to access IPA > UI. > > FreeIPA limits service principals' ability to impersonate user > principals (or any other principals). FreeIPA UI runs as HTTP/ principal > and is given permission to impersonate user principal when talking to > ldap/ service. This setup is explicit and requires additional > configuration for those Kerberos principals which ask for additional > access. > > For more detailed description read my article at > http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy- > with-FreeIPA/index.html > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
