On Fri, 2015-03-06 at 16:24 +0100, Matt . wrote: > Hi, > > I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, > SRV won't fit here sorry to say. > > I auth users, so their keytab should be the same between two masters I > believe ?
What kind of load balancing ? An IPA server offers multiple different kerberized services, not all of them may be able to work using multiple keys (you would need one key for the real name and one for the load balanced name). Simo. > In that case... I need to add the altnames to the certs, but I'm not > 100% there in step 6 > > Thanks again! > > Cheers, > > Matthijs > > 2015-03-06 16:16 GMT+01:00 Petr Spacek <pspa...@redhat.com>: > > On 6.3.2015 15:39, Matt . wrote: > >> I have 2 IPA servers where I kinit to and post to the api using curl/json. > > > > If we are talking purely about scripting, you can use IPA Python API. It > > will > > handle fail over for you even without any load balancer. That would be > > easiest > > way. > > > >> As I need redundancy and don't want to have it script managed, but one > >> central point where I can tal to I use a loadbalancer. > > > > Well, if you can control clients then the easiest and most universal way is > > to > > use DNS SRV records and add failover logic to clients. That solution works > > even when servers are geographically distributed/in different networks and > > does not have single point of failure (the load balancer). > > > >> As I connect to the loadbalancer using DNAT, so the client IP is known > >> on the IPA server because this is needed for the http service > >> principals I need to add the loadbalancer hostname to my IPA server > >> and make it as an ALT name to it's Certificate. > >> > >> As the users are the same on both servers I would asume i can use a > >> keytab for a user against both servers from my clients. > > > > I'm talking about keytabs on the FreeIPA servers - services running on IPA > > server have their own keytabs too. Every service on every server has own > > keytab with different key. > > > > You need to talk with Simo or some other Kerberos guru about possibility of > > sharing keytabs between IPA services. > > > >> Does this make it more clear ? > > > > I'm still not sure if you want to have human users too or just API clients. > > > > Petr^2 Spacek > > > >> 2015-03-06 15:31 GMT+01:00 Petr Spacek <pspa...@redhat.com>: > >>> On 6.3.2015 15:13, Matt . wrote: > >>>> Hi, > >>>> > >>>> But as the user is the same, I could use the same keytab for each ipa > >>>> server ? > >>>> > >>>> I need to use the API indeed, so need to issue the http service. > >>>> > >>>> Any other options ? > >>> > >>> I do not really understand your use case. Could you describe it in > >>> detail, please? > >>> > >>> Petr^2 Spacek > >>> > >>>> 2015-03-06 14:24 GMT+01:00 Petr Spacek <pspa...@redhat.com>: > >>>>> On 6.3.2015 14:08, Martin Kosek wrote: > >>>>>> I'm figuring out how to regenerate the webserver certificates so I can > >>>>>> use a loadbalancer in front of my ipa servers. > >>>>> > >>>>> Are you talking about FreeIPA web interface? It is technically possible > >>>>> to use > >>>>> load-balancer but it will be really hacky. You would have to solve > >>>>> certificates and also distribute shared keytabs and so on. > >>>>> > >>>>> I would recommend you to use "something" which issues HTTP redirect to > >>>>> ipa > >>>>> server 1/2/3/4/5 according to current state instead of using classical > >>>>> load > >>>>> balancer on the network level. Normal HTTP redirect will not force you > >>>>> to mess > >>>>> with certs and keytabs. > >>>>> > >>>>> -- > >>>>> Petr^2 Spacek > > > > > > -- > > Petr Spacek @ Red Hat -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
