Hi Petr, We discussed that before indeed, but SRV is not usable in this case.
My clients are just webservers (apache) doing some executes of CURL commands to ipa/json, actually the same commands as the webgui does using json, but we curl it. Do you have a better view now ? Cheers, Matt 2015-03-31 15:03 GMT+02:00 Petr Spacek <pspa...@redhat.com>: > On 31.3.2015 14:35, Matt . wrote: >> Hi Petr, >> >> As this is not my topic it's for me quite "simple". >> >> I need to post to /ipa/json through a loadbalancer, nothing more. >> >> i have >> >> ldap-01.domain.tld (ipa1) >> ldap-01.domain.tld (ipa2) >> >> and my loadbalancer is ldap.domain.tld >> >> ldap requests over a loadbalancer are quite simple and working, but >> the json part is more difficult because of the ticket and the dns >> name. I have added a san ldap.domain.tld to the webgui and there is a >> http/ldap.domain.tld service on the ipa server. >> >> I get a nonvalid kerberos ticket when I go through ldap.domain.tld to >> ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld >> after it failed my ticket is OK for ldap-01.domain.tld and works. >> >> Is this enough information for you ? > > Well, I still do not understand the use case. What are your clients? Are you > using 'ipa' command to do something? Or some other clients? > > Usually the best thing is to use DNS SRV records because it works even with > geographically distributed clusters and does not have single point of failure > (the load balancer). > > This requires clients with support for DNS SRV but if your machines are using > SSSD then you do not need to change anything and it should just work. > > That is why I'm asking for the use case :-) > > Petr^2 Spacek > >> 2015-03-31 14:21 GMT+02:00 Petr Spacek <pspa...@redhat.com>: >>> On 31.3.2015 14:02, Matt . wrote: >>>> HI Phasant, >>>> >>>> Check my mailings about it, it's not easy at least the kerberos part >>>> not, SRV records are used for that normally. >>>> >>>> Are you talking about the webgui or the ldap part ? >>> >>> I would recommend you to step back and describe use-case you have in mind. >>> It >>> is important for us to understand to your use-case to propose optimal >>> solution. >>> >>> Petr^2 Spacek >>> >>>> Cheers, >>>> >>>> Matt >>>> >>>> 2015-03-31 13:56 GMT+02:00 Prashant Bapat <prash...@apigee.com>: >>>>> Hi, >>>>> >>>>> I'm trying to get 2 FreeIPA servers in a replicated mode behind a load >>>>> balancer, specifically Amazon ELB. >>>>> >>>>> I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks >>>>> like >>>>> there is more to it than just this file. >>>>> >>>>> Any suggestions ? >>>>> >>>>> Thanks. >>>>> --Prashant -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
