On 6.3.2015 16:24, Matt . wrote: > Hi, > > I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, > SRV won't fit here sorry to say. > > I auth users, so their keytab should be the same between two masters I > believe ?
Keytabs are used by Kerberos and MIT kerberos libraries fully support SRV records and failover. > > In that case... I need to add the altnames to the certs, but I'm not > 100% there in step 6 I hope someone else can advise you how to do that but be prepared for hickups, this setup is not tested. Petr^2 Spacek > > Thanks again! > > Cheers, > > Matthijs > > 2015-03-06 16:16 GMT+01:00 Petr Spacek <pspa...@redhat.com>: >> On 6.3.2015 15:39, Matt . wrote: >>> I have 2 IPA servers where I kinit to and post to the api using curl/json. >> >> If we are talking purely about scripting, you can use IPA Python API. It will >> handle fail over for you even without any load balancer. That would be >> easiest >> way. >> >>> As I need redundancy and don't want to have it script managed, but one >>> central point where I can tal to I use a loadbalancer. >> >> Well, if you can control clients then the easiest and most universal way is >> to >> use DNS SRV records and add failover logic to clients. That solution works >> even when servers are geographically distributed/in different networks and >> does not have single point of failure (the load balancer). >> >>> As I connect to the loadbalancer using DNAT, so the client IP is known >>> on the IPA server because this is needed for the http service >>> principals I need to add the loadbalancer hostname to my IPA server >>> and make it as an ALT name to it's Certificate. >>> >>> As the users are the same on both servers I would asume i can use a >>> keytab for a user against both servers from my clients. >> >> I'm talking about keytabs on the FreeIPA servers - services running on IPA >> server have their own keytabs too. Every service on every server has own >> keytab with different key. >> >> You need to talk with Simo or some other Kerberos guru about possibility of >> sharing keytabs between IPA services. >> >>> Does this make it more clear ? >> >> I'm still not sure if you want to have human users too or just API clients. >> >> Petr^2 Spacek >> >>> 2015-03-06 15:31 GMT+01:00 Petr Spacek <pspa...@redhat.com>: >>>> On 6.3.2015 15:13, Matt . wrote: >>>>> Hi, >>>>> >>>>> But as the user is the same, I could use the same keytab for each ipa >>>>> server ? >>>>> >>>>> I need to use the API indeed, so need to issue the http service. >>>>> >>>>> Any other options ? >>>> >>>> I do not really understand your use case. Could you describe it in detail, >>>> please? >>>> >>>> Petr^2 Spacek >>>> >>>>> 2015-03-06 14:24 GMT+01:00 Petr Spacek <pspa...@redhat.com>: >>>>>> On 6.3.2015 14:08, Martin Kosek wrote: >>>>>>> I'm figuring out how to regenerate the webserver certificates so I can >>>>>>> use a loadbalancer in front of my ipa servers. >>>>>> >>>>>> Are you talking about FreeIPA web interface? It is technically possible >>>>>> to use >>>>>> load-balancer but it will be really hacky. You would have to solve >>>>>> certificates and also distribute shared keytabs and so on. >>>>>> >>>>>> I would recommend you to use "something" which issues HTTP redirect to >>>>>> ipa >>>>>> server 1/2/3/4/5 according to current state instead of using classical >>>>>> load >>>>>> balancer on the network level. Normal HTTP redirect will not force you >>>>>> to mess >>>>>> with certs and keytabs. >>>>>> >>>>>> -- >>>>>> Petr^2 Spacek >> >> >> -- >> Petr Spacek @ Red Hat -- Petr Spacek @ Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project