On 31.3.2015 16:10, Matt . wrote:
> HI Petr,
> We had a several of reasons why we did that. We wanted to use one
> language for that, and also have formatted returns. There was also
> some security issue which came up.

I would be very interested in the security reason. If you see any problem with
'ipa' command or FreeIPA API please send me a private e-mail or contact
secal...@redhat.com directly.

> I could ask you, why does IPA json itself ? if you see what it posts
> and what it gets back as result it makes it much more clear in
> development.

I do not understand the question, sorry.

If you want to see what 'ipa' command does run it with '-vv' parameter:
$ ipa -vv user-find

It will print JSON request and reply:
ipa: INFO: Request: {
    "id": 0,
    "method": "user_find",
    "params": [
            "all": false,
            "no_members": false,
            "pkey_only": false,
            "raw": false,
            "version": "2.115",
            "whoami": false
ipa: INFO: Response: {
    "error": null,
    "id": 0,
    "principal": "admin@IPA.EXAMPLE",
    "result": {
        "count": 2,
        "result": [
                "dn": "uid=admin,cn=users,cn=accounts,dc=ipa,dc=example",
                "gidnumber": [

> HTTP loadbalancing is not difficult at all, as we post to the
> webserver I need to have that part only auth right. We do more very
> specific loadbalancing stuff and this is the most easy one as it's
> only webserver forward, but IPA/Kerberos has an issue with the
> principal it seems... it cannot be hard to make that accepted I would
> say.

If you insist on Kerberos servers behind a load balancer... you will need to
somehow share the Kerberos key among all servers. I will defer that to
Kerberos experts here.

> I'm still looking for solutions :)

Sure, but you will save a lot of time and nerves if you simply call 'ipa'
command :-)

Have a nice day!

Petr^2 Spacek

> Cheers,
> Matt
> 2015-03-31 15:58 GMT+02:00 Petr Spacek <pspa...@redhat.com>:
>> On 31.3.2015 15:23, Matt . wrote:
>>> Hi Petr,
>>> We discussed that before indeed, but SRV is not usable in this case.
>>> My clients are just webservers (apache) doing some executes of CURL
>>> commands to ipa/json, actually the same commands as the webgui does
>>> using json, but we curl it.
>>> Do you have a better view now ?
>> Yes. If you have seen the previous discussion then you know that it will be
>> pretty difficult to do this kind of load balancing.
>> Why are you not using 'ipa' command or Python API we have instead? Why to use
>> CURL and make things more complex?
>> Petr^2 Spacek
>>> 2015-03-31 15:03 GMT+02:00 Petr Spacek <pspa...@redhat.com>:
>>>> On 31.3.2015 14:35, Matt . wrote:
>>>>> Hi Petr,
>>>>> As this is not my topic it's for me quite "simple".
>>>>> I need to post to /ipa/json through a loadbalancer, nothing more.
>>>>> i have
>>>>> ldap-01.domain.tld (ipa1)
>>>>> ldap-01.domain.tld (ipa2)
>>>>> and my loadbalancer is ldap.domain.tld
>>>>> ldap requests over a loadbalancer are quite simple and working, but
>>>>> the json part is more difficult because of the ticket and the dns
>>>>> name. I have added a san ldap.domain.tld to the webgui and there is a
>>>>> http/ldap.domain.tld service on the ipa server.
>>>>> I get a nonvalid kerberos ticket when I go through ldap.domain.tld to
>>>>> ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld
>>>>> after it failed my ticket is OK for ldap-01.domain.tld and works.
>>>>> Is this enough information for you ?
>>>> Well, I still do not understand the use case. What are your clients? Are 
>>>> you
>>>> using 'ipa' command to do something? Or some other clients?
>>>> Usually the best thing is to use DNS SRV records because it works even with
>>>> geographically distributed clusters and does not have single point of 
>>>> failure
>>>> (the load balancer).
>>>> This requires clients with support for DNS SRV but if your machines are 
>>>> using
>>>> SSSD then you do not need to change anything and it should just work.
>>>> That is why I'm asking for the use case :-)
>>>> Petr^2 Spacek
>>>>> 2015-03-31 14:21 GMT+02:00 Petr Spacek <pspa...@redhat.com>:
>>>>>> On 31.3.2015 14:02, Matt . wrote:
>>>>>>> HI Phasant,
>>>>>>> Check my mailings about it, it's not easy at least the kerberos part
>>>>>>> not, SRV records are used for that normally.
>>>>>>> Are you talking about the webgui or the ldap part ?
>>>>>> I would recommend you to step back and describe use-case you have in 
>>>>>> mind. It
>>>>>> is important for us to understand to your use-case to propose optimal 
>>>>>> solution.
>>>>>> Petr^2 Spacek
>>>>>>> Cheers,
>>>>>>> Matt
>>>>>>> 2015-03-31 13:56 GMT+02:00 Prashant Bapat <prash...@apigee.com>:
>>>>>>>> Hi,
>>>>>>>> I'm trying to get 2 FreeIPA servers in a replicated mode behind a load
>>>>>>>> balancer, specifically Amazon ELB.
>>>>>>>> I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but 
>>>>>>>> looks like
>>>>>>>> there is more to it than just this file.
>>>>>>>> Any suggestions ?
>>>>>>>> Thanks.
>>>>>>>> --Prashant

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to