Hi Petr,

We discussed that before indeed, but SRV is not usable in this case.

My clients are just webservers (apache) doing some executes of CURL
commands to ipa/json, actually the same commands as the webgui does
using json, but we curl it.

Do you have a better view now ?



2015-03-31 15:03 GMT+02:00 Petr Spacek <pspa...@redhat.com>:
> On 31.3.2015 14:35, Matt . wrote:
>> Hi Petr,
>> As this is not my topic it's for me quite "simple".
>> I need to post to /ipa/json through a loadbalancer, nothing more.
>> i have
>> ldap-01.domain.tld (ipa1)
>> ldap-01.domain.tld (ipa2)
>> and my loadbalancer is ldap.domain.tld
>> ldap requests over a loadbalancer are quite simple and working, but
>> the json part is more difficult because of the ticket and the dns
>> name. I have added a san ldap.domain.tld to the webgui and there is a
>> http/ldap.domain.tld service on the ipa server.
>> I get a nonvalid kerberos ticket when I go through ldap.domain.tld to
>> ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld
>> after it failed my ticket is OK for ldap-01.domain.tld and works.
>> Is this enough information for you ?
> Well, I still do not understand the use case. What are your clients? Are you
> using 'ipa' command to do something? Or some other clients?
> Usually the best thing is to use DNS SRV records because it works even with
> geographically distributed clusters and does not have single point of failure
> (the load balancer).
> This requires clients with support for DNS SRV but if your machines are using
> SSSD then you do not need to change anything and it should just work.
> That is why I'm asking for the use case :-)
> Petr^2 Spacek
>> 2015-03-31 14:21 GMT+02:00 Petr Spacek <pspa...@redhat.com>:
>>> On 31.3.2015 14:02, Matt . wrote:
>>>> HI Phasant,
>>>> Check my mailings about it, it's not easy at least the kerberos part
>>>> not, SRV records are used for that normally.
>>>> Are you talking about the webgui or the ldap part ?
>>> I would recommend you to step back and describe use-case you have in mind. 
>>> It
>>> is important for us to understand to your use-case to propose optimal 
>>> solution.
>>> Petr^2 Spacek
>>>> Cheers,
>>>> Matt
>>>> 2015-03-31 13:56 GMT+02:00 Prashant Bapat <prash...@apigee.com>:
>>>>> Hi,
>>>>> I'm trying to get 2 FreeIPA servers in a replicated mode behind a load
>>>>> balancer, specifically Amazon ELB.
>>>>> I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks 
>>>>> like
>>>>> there is more to it than just this file.
>>>>> Any suggestions ?
>>>>> Thanks.
>>>>> --Prashant

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to