On 31.3.2015 16:10, Matt . wrote:
HI Petr,
We had a several of reasons why we did that. We wanted to use one
language for that, and also have formatted returns. There was also
some security issue which came up.
I would be very interested in the security reason. If you see any problem with
'ipa' command or FreeIPA API please send me a private e-mail or contact
secal...@redhat.com directly.
I could ask you, why does IPA json itself ? if you see what it posts
and what it gets back as result it makes it much more clear in
development.
I do not understand the question, sorry.
If you want to see what 'ipa' command does run it with '-vv' parameter:
$ ipa -vv user-find
It will print JSON request and reply:
ipa: INFO: Request: {
"id": 0,
"method": "user_find",
"params": [
[
null
],
{
"all": false,
"no_members": false,
"pkey_only": false,
"raw": false,
"version": "2.115",
"whoami": false
}
]
}
ipa: INFO: Response: {
"error": null,
"id": 0,
"principal": "admin@IPA.EXAMPLE",
"result": {
"count": 2,
"result": [
{
"dn": "uid=admin,cn=users,cn=accounts,dc=ipa,dc=example",
"gidnumber": [
"1381000000"
],
...
HTTP loadbalancing is not difficult at all, as we post to the
webserver I need to have that part only auth right. We do more very
specific loadbalancing stuff and this is the most easy one as it's
only webserver forward, but IPA/Kerberos has an issue with the
principal it seems... it cannot be hard to make that accepted I would
say.
If you insist on Kerberos servers behind a load balancer... you will need to
somehow share the Kerberos key among all servers. I will defer that to
Kerberos experts here.
I'm still looking for solutions :)
Sure, but you will save a lot of time and nerves if you simply call 'ipa'
command :-)
Have a nice day!
Petr^2 Spacek
Cheers,
Matt
2015-03-31 15:58 GMT+02:00 Petr Spacek <pspa...@redhat.com>:
On 31.3.2015 15:23, Matt . wrote:
Hi Petr,
We discussed that before indeed, but SRV is not usable in this case.
My clients are just webservers (apache) doing some executes of CURL
commands to ipa/json, actually the same commands as the webgui does
using json, but we curl it.
Do you have a better view now ?
Yes. If you have seen the previous discussion then you know that it will be
pretty difficult to do this kind of load balancing.
Why are you not using 'ipa' command or Python API we have instead? Why to use
CURL and make things more complex?
Petr^2 Spacek
2015-03-31 15:03 GMT+02:00 Petr Spacek <pspa...@redhat.com>:
On 31.3.2015 14:35, Matt . wrote:
Hi Petr,
As this is not my topic it's for me quite "simple".
I need to post to /ipa/json through a loadbalancer, nothing more.
i have
ldap-01.domain.tld (ipa1)
ldap-01.domain.tld (ipa2)
and my loadbalancer is ldap.domain.tld
ldap requests over a loadbalancer are quite simple and working, but
the json part is more difficult because of the ticket and the dns
name. I have added a san ldap.domain.tld to the webgui and there is a
http/ldap.domain.tld service on the ipa server.
I get a nonvalid kerberos ticket when I go through ldap.domain.tld to
ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld
after it failed my ticket is OK for ldap-01.domain.tld and works.
Is this enough information for you ?
Well, I still do not understand the use case. What are your clients? Are you
using 'ipa' command to do something? Or some other clients?
Usually the best thing is to use DNS SRV records because it works even with
geographically distributed clusters and does not have single point of failure
(the load balancer).
This requires clients with support for DNS SRV but if your machines are using
SSSD then you do not need to change anything and it should just work.
That is why I'm asking for the use case :-)
Petr^2 Spacek
2015-03-31 14:21 GMT+02:00 Petr Spacek <pspa...@redhat.com>:
On 31.3.2015 14:02, Matt . wrote:
HI Phasant,
Check my mailings about it, it's not easy at least the kerberos part
not, SRV records are used for that normally.
Are you talking about the webgui or the ldap part ?
I would recommend you to step back and describe use-case you have in mind. It
is important for us to understand to your use-case to propose optimal solution.
Petr^2 Spacek
Cheers,
Matt
2015-03-31 13:56 GMT+02:00 Prashant Bapat <prash...@apigee.com>:
Hi,
I'm trying to get 2 FreeIPA servers in a replicated mode behind a load
balancer, specifically Amazon ELB.
I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks like
there is more to it than just this file.
Any suggestions ?
Thanks.
--Prashant
