I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
SRV won't fit here sorry to say.

I auth users, so their keytab should be the same between two masters I believe ?

In that case... I need to add the altnames to the certs, but I'm not
100% there in step 6

Thanks again!



2015-03-06 16:16 GMT+01:00 Petr Spacek <pspa...@redhat.com>:
> On 6.3.2015 15:39, Matt . wrote:
>> I have 2 IPA servers where I kinit to and post to the api using curl/json.
> If we are talking purely about scripting, you can use IPA Python API. It will
> handle fail over for you even without any load balancer. That would be easiest
> way.
>> As I need redundancy and don't want to have it script managed, but one
>> central point where I can tal to I use a loadbalancer.
> Well, if you can control clients then the easiest and most universal way is to
> use DNS SRV records and add failover logic to clients. That solution works
> even when servers are geographically distributed/in different networks and
> does not have single point of failure (the load balancer).
>> As I connect to the loadbalancer using DNAT, so the client IP is known
>> on the IPA server because this is needed for the http service
>> principals I need to add the loadbalancer hostname to my IPA server
>> and make it as an ALT name to it's Certificate.
>> As the users are the same on both servers I would asume i can use a
>> keytab for a user against both servers from my clients.
> I'm talking about keytabs on the FreeIPA servers - services running on IPA
> server have their own keytabs too. Every service on every server has own
> keytab with different key.
> You need to talk with Simo or some other Kerberos guru about possibility of
> sharing keytabs between IPA services.
>> Does this make it more clear ?
> I'm still not sure if you want to have human users too or just API clients.
> Petr^2 Spacek
>> 2015-03-06 15:31 GMT+01:00 Petr Spacek <pspa...@redhat.com>:
>>> On 6.3.2015 15:13, Matt . wrote:
>>>> Hi,
>>>> But as the user is the same, I could use the same keytab for each ipa 
>>>> server ?
>>>> I need to use the API indeed, so need to issue the http service.
>>>> Any other options ?
>>> I do not really understand your use case. Could you describe it in detail, 
>>> please?
>>> Petr^2 Spacek
>>>> 2015-03-06 14:24 GMT+01:00 Petr Spacek <pspa...@redhat.com>:
>>>>> On 6.3.2015 14:08, Martin Kosek wrote:
>>>>>> I'm figuring out how to regenerate the webserver certificates so I can
>>>>>> use a loadbalancer in front of my ipa servers.
>>>>> Are you talking about FreeIPA web interface? It is technically possible 
>>>>> to use
>>>>> load-balancer but it will be really hacky. You would have to solve
>>>>> certificates and also distribute shared keytabs and so on.
>>>>> I would recommend you to use "something" which issues HTTP redirect to ipa
>>>>> server 1/2/3/4/5 according to current state instead of using classical 
>>>>> load
>>>>> balancer on the network level. Normal HTTP redirect will not force you to 
>>>>> mess
>>>>> with certs and keytabs.
>>>>> --
>>>>> Petr^2 Spacek
> --
> Petr Spacek  @  Red Hat

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to