Hi Guys, Is Rob able to look at this ? I hope he has some sparetime as I'm kinda stuck with this issue.
Thanks! 2015-03-08 12:30 GMT+01:00 Matt . <yamakasi....@gmail.com>: > I'm reviewing some things. > > When I'm using a loadbalancer, which I prefer in this setup I need to > have the same certificates on both servers. Maybe a wildcard for my > domain could do instead of having only both fqdn's of the servers > including the loadbalancer's fqdn. > > But the question remains, how? > > > > 2015-03-07 10:37 GMT+01:00 Matt . <yamakasi....@gmail.com>: >> Hi, >> >> I will balance with IP persistance so I think there won't be any >> mixing as long as that "used" server is online. >> >> 2015-03-06 19:16 GMT+01:00 Dmitri Pal <d...@redhat.com>: >>> On 03/06/2015 11:05 AM, Matt . wrote: >>>> >>>> OK, understood. >>>> >>>> But when a webservice does execute a command (from scripting) to a SVR >>>> record and the first is not reacable, would it try to do it again or >>>> will handle DNS this in front of it ? >>>> >>>> I do a kinit against an IPA server using a keytab after I first >>>> checked if the user was able to auth himself using his ldap >>>> credentials, if so, this kinit exec is fired and I do some CURL stuff >>>> to the IPA server. >>>> >>>> That's why I wanted a loadbalancer, the loadbalancer sees if a server >>>> is down and doesn't even try to direct any of the commands to it... >>>> I'm not sure if the SRV will handle this well when doing these command >>>> from PHP for an example. Building in extra checks in front could be >>>> done but it not ideal as a loadbalancer can handle such things much >>>> better. >>> >>> >>> OK, this makes things much more clear. Thanks for the explanation. >>> Rob. What is our failover logic for API? >>> >>> For CLI we use a negotiation and then we store a cookie so as long as the >>> whole conversation goes to the same server you should be fine. I do not >>> think you need to re-encrypt the traffic at load balancer and thus have a >>> cert there then if you can enforce the use of the same server in this case. >>> >>> The issue I anticipate is with Kerberos. I think you should not load balance >>> the Kerberos traffic, only the API commands starting with the negotiation. >>> >>> Rob does that make sense for you? >>> >>> >>>> >>>> Thanks! >>>> >>>> Cheers, >>>> >>>> Matt >>>> >>>> 2015-03-06 16:41 GMT+01:00 Dmitri Pal <d...@redhat.com>: >>>>> >>>>> On 03/06/2015 10:24 AM, Matt . wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, >>>>>> SRV won't fit here sorry to say. >>>>>> >>>>>> I auth users, so their keytab should be the same between two masters I >>>>>> believe ? >>>>> >>>>> >>>>> Each entity in Kerberos exchange has its own identity and key. >>>>> If you send a ticket that is destined to service A instead to service B >>>>> it >>>>> would not work unless they share the same keys and identity. Sharinf same >>>>> keys and identities between the servers just would not work with IPA. >>>>> Keep in mind that IPA clients and server need to work and fail over if >>>>> you >>>>> do not have any load balancers and this is the common case. You are >>>>> trying >>>>> to add one where it is really not needed creating overhead for yourself. >>>>> >>>>> >>>>> >>>>>> In that case... I need to add the altnames to the certs, but I'm not >>>>>> 100% there in step 6 >>>>>> >>>>>> Thanks again! >>>>>> >>>>>> Cheers, >>>>>> >>>>>> Matthijs >>>>>> >>>>>> 2015-03-06 16:16 GMT+01:00 Petr Spacek <pspa...@redhat.com>: >>>>>>> >>>>>>> On 6.3.2015 15:39, Matt . wrote: >>>>>>>> >>>>>>>> I have 2 IPA servers where I kinit to and post to the api using >>>>>>>> curl/json. >>>>>>> >>>>>>> If we are talking purely about scripting, you can use IPA Python API. >>>>>>> It >>>>>>> will >>>>>>> handle fail over for you even without any load balancer. That would be >>>>>>> easiest >>>>>>> way. >>>>>>> >>>>>>>> As I need redundancy and don't want to have it script managed, but one >>>>>>>> central point where I can tal to I use a loadbalancer. >>>>>>> >>>>>>> Well, if you can control clients then the easiest and most universal >>>>>>> way >>>>>>> is to >>>>>>> use DNS SRV records and add failover logic to clients. That solution >>>>>>> works >>>>>>> even when servers are geographically distributed/in different networks >>>>>>> and >>>>>>> does not have single point of failure (the load balancer). >>>>>>> >>>>>>>> As I connect to the loadbalancer using DNAT, so the client IP is known >>>>>>>> on the IPA server because this is needed for the http service >>>>>>>> principals I need to add the loadbalancer hostname to my IPA server >>>>>>>> and make it as an ALT name to it's Certificate. >>>>>>>> >>>>>>>> As the users are the same on both servers I would asume i can use a >>>>>>>> keytab for a user against both servers from my clients. >>>>>>> >>>>>>> I'm talking about keytabs on the FreeIPA servers - services running on >>>>>>> IPA >>>>>>> server have their own keytabs too. Every service on every server has >>>>>>> own >>>>>>> keytab with different key. >>>>>>> >>>>>>> You need to talk with Simo or some other Kerberos guru about >>>>>>> possibility >>>>>>> of >>>>>>> sharing keytabs between IPA services. >>>>>>> >>>>>>>> Does this make it more clear ? >>>>>>> >>>>>>> I'm still not sure if you want to have human users too or just API >>>>>>> clients. >>>>>>> >>>>>>> Petr^2 Spacek >>>>>>> >>>>>>>> 2015-03-06 15:31 GMT+01:00 Petr Spacek <pspa...@redhat.com>: >>>>>>>>> >>>>>>>>> On 6.3.2015 15:13, Matt . wrote: >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> But as the user is the same, I could use the same keytab for each >>>>>>>>>> ipa >>>>>>>>>> server ? >>>>>>>>>> >>>>>>>>>> I need to use the API indeed, so need to issue the http service. >>>>>>>>>> >>>>>>>>>> Any other options ? >>>>>>>>> >>>>>>>>> I do not really understand your use case. Could you describe it in >>>>>>>>> detail, please? >>>>>>>>> >>>>>>>>> Petr^2 Spacek >>>>>>>>> >>>>>>>>>> 2015-03-06 14:24 GMT+01:00 Petr Spacek <pspa...@redhat.com>: >>>>>>>>>>> >>>>>>>>>>> On 6.3.2015 14:08, Martin Kosek wrote: >>>>>>>>>>>> >>>>>>>>>>>> I'm figuring out how to regenerate the webserver certificates so I >>>>>>>>>>>> can >>>>>>>>>>>> use a loadbalancer in front of my ipa servers. >>>>>>>>>>> >>>>>>>>>>> Are you talking about FreeIPA web interface? It is technically >>>>>>>>>>> possible to use >>>>>>>>>>> load-balancer but it will be really hacky. You would have to solve >>>>>>>>>>> certificates and also distribute shared keytabs and so on. >>>>>>>>>>> >>>>>>>>>>> I would recommend you to use "something" which issues HTTP redirect >>>>>>>>>>> to ipa >>>>>>>>>>> server 1/2/3/4/5 according to current state instead of using >>>>>>>>>>> classical load >>>>>>>>>>> balancer on the network level. Normal HTTP redirect will not force >>>>>>>>>>> you to mess >>>>>>>>>>> with certs and keytabs. >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Petr^2 Spacek >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Petr Spacek @ Red Hat >>>>> >>>>> >>>>> >>>>> -- >>>>> Thank you, >>>>> Dmitri Pal >>>>> >>>>> Sr. Engineering Manager IdM portfolio >>>>> Red Hat, Inc. >>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project