I'm reviewing some things. When I'm using a loadbalancer, which I prefer in this setup I need to have the same certificates on both servers. Maybe a wildcard for my domain could do instead of having only both fqdn's of the servers including the loadbalancer's fqdn.
But the question remains, how? 2015-03-07 10:37 GMT+01:00 Matt . <yamakasi....@gmail.com>: > Hi, > > I will balance with IP persistance so I think there won't be any > mixing as long as that "used" server is online. > > 2015-03-06 19:16 GMT+01:00 Dmitri Pal <d...@redhat.com>: >> On 03/06/2015 11:05 AM, Matt . wrote: >>> >>> OK, understood. >>> >>> But when a webservice does execute a command (from scripting) to a SVR >>> record and the first is not reacable, would it try to do it again or >>> will handle DNS this in front of it ? >>> >>> I do a kinit against an IPA server using a keytab after I first >>> checked if the user was able to auth himself using his ldap >>> credentials, if so, this kinit exec is fired and I do some CURL stuff >>> to the IPA server. >>> >>> That's why I wanted a loadbalancer, the loadbalancer sees if a server >>> is down and doesn't even try to direct any of the commands to it... >>> I'm not sure if the SRV will handle this well when doing these command >>> from PHP for an example. Building in extra checks in front could be >>> done but it not ideal as a loadbalancer can handle such things much >>> better. >> >> >> OK, this makes things much more clear. Thanks for the explanation. >> Rob. What is our failover logic for API? >> >> For CLI we use a negotiation and then we store a cookie so as long as the >> whole conversation goes to the same server you should be fine. I do not >> think you need to re-encrypt the traffic at load balancer and thus have a >> cert there then if you can enforce the use of the same server in this case. >> >> The issue I anticipate is with Kerberos. I think you should not load balance >> the Kerberos traffic, only the API commands starting with the negotiation. >> >> Rob does that make sense for you? >> >> >>> >>> Thanks! >>> >>> Cheers, >>> >>> Matt >>> >>> 2015-03-06 16:41 GMT+01:00 Dmitri Pal <d...@redhat.com>: >>>> >>>> On 03/06/2015 10:24 AM, Matt . wrote: >>>>> >>>>> Hi, >>>>> >>>>> I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, >>>>> SRV won't fit here sorry to say. >>>>> >>>>> I auth users, so their keytab should be the same between two masters I >>>>> believe ? >>>> >>>> >>>> Each entity in Kerberos exchange has its own identity and key. >>>> If you send a ticket that is destined to service A instead to service B >>>> it >>>> would not work unless they share the same keys and identity. Sharinf same >>>> keys and identities between the servers just would not work with IPA. >>>> Keep in mind that IPA clients and server need to work and fail over if >>>> you >>>> do not have any load balancers and this is the common case. You are >>>> trying >>>> to add one where it is really not needed creating overhead for yourself. >>>> >>>> >>>> >>>>> In that case... I need to add the altnames to the certs, but I'm not >>>>> 100% there in step 6 >>>>> >>>>> Thanks again! >>>>> >>>>> Cheers, >>>>> >>>>> Matthijs >>>>> >>>>> 2015-03-06 16:16 GMT+01:00 Petr Spacek <pspa...@redhat.com>: >>>>>> >>>>>> On 6.3.2015 15:39, Matt . wrote: >>>>>>> >>>>>>> I have 2 IPA servers where I kinit to and post to the api using >>>>>>> curl/json. >>>>>> >>>>>> If we are talking purely about scripting, you can use IPA Python API. >>>>>> It >>>>>> will >>>>>> handle fail over for you even without any load balancer. That would be >>>>>> easiest >>>>>> way. >>>>>> >>>>>>> As I need redundancy and don't want to have it script managed, but one >>>>>>> central point where I can tal to I use a loadbalancer. >>>>>> >>>>>> Well, if you can control clients then the easiest and most universal >>>>>> way >>>>>> is to >>>>>> use DNS SRV records and add failover logic to clients. That solution >>>>>> works >>>>>> even when servers are geographically distributed/in different networks >>>>>> and >>>>>> does not have single point of failure (the load balancer). >>>>>> >>>>>>> As I connect to the loadbalancer using DNAT, so the client IP is known >>>>>>> on the IPA server because this is needed for the http service >>>>>>> principals I need to add the loadbalancer hostname to my IPA server >>>>>>> and make it as an ALT name to it's Certificate. >>>>>>> >>>>>>> As the users are the same on both servers I would asume i can use a >>>>>>> keytab for a user against both servers from my clients. >>>>>> >>>>>> I'm talking about keytabs on the FreeIPA servers - services running on >>>>>> IPA >>>>>> server have their own keytabs too. Every service on every server has >>>>>> own >>>>>> keytab with different key. >>>>>> >>>>>> You need to talk with Simo or some other Kerberos guru about >>>>>> possibility >>>>>> of >>>>>> sharing keytabs between IPA services. >>>>>> >>>>>>> Does this make it more clear ? >>>>>> >>>>>> I'm still not sure if you want to have human users too or just API >>>>>> clients. >>>>>> >>>>>> Petr^2 Spacek >>>>>> >>>>>>> 2015-03-06 15:31 GMT+01:00 Petr Spacek <pspa...@redhat.com>: >>>>>>>> >>>>>>>> On 6.3.2015 15:13, Matt . wrote: >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> But as the user is the same, I could use the same keytab for each >>>>>>>>> ipa >>>>>>>>> server ? >>>>>>>>> >>>>>>>>> I need to use the API indeed, so need to issue the http service. >>>>>>>>> >>>>>>>>> Any other options ? >>>>>>>> >>>>>>>> I do not really understand your use case. Could you describe it in >>>>>>>> detail, please? >>>>>>>> >>>>>>>> Petr^2 Spacek >>>>>>>> >>>>>>>>> 2015-03-06 14:24 GMT+01:00 Petr Spacek <pspa...@redhat.com>: >>>>>>>>>> >>>>>>>>>> On 6.3.2015 14:08, Martin Kosek wrote: >>>>>>>>>>> >>>>>>>>>>> I'm figuring out how to regenerate the webserver certificates so I >>>>>>>>>>> can >>>>>>>>>>> use a loadbalancer in front of my ipa servers. >>>>>>>>>> >>>>>>>>>> Are you talking about FreeIPA web interface? It is technically >>>>>>>>>> possible to use >>>>>>>>>> load-balancer but it will be really hacky. You would have to solve >>>>>>>>>> certificates and also distribute shared keytabs and so on. >>>>>>>>>> >>>>>>>>>> I would recommend you to use "something" which issues HTTP redirect >>>>>>>>>> to ipa >>>>>>>>>> server 1/2/3/4/5 according to current state instead of using >>>>>>>>>> classical load >>>>>>>>>> balancer on the network level. Normal HTTP redirect will not force >>>>>>>>>> you to mess >>>>>>>>>> with certs and keytabs. >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Petr^2 Spacek >>>>>> >>>>>> >>>>>> -- >>>>>> Petr Spacek @ Red Hat >>>> >>>> >>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager IdM portfolio >>>> Red Hat, Inc. >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
