On 04/05/2015 11:55 AM, Simo Sorce wrote:
I wrote a blog post to clarify a little bit how load balancers and
Kerberos interact: https://ssimo.org/blog/id_019.html
Thanks for clarifying it.
However the proxy case has also another option that is not mentioned.
Proxy can terminate the connection but can use s4u2proxy to connect to
real servers. Of cause this would mean that LB can impersonate anyone
(which is definitely not good) but most of the solutions in the list
except for aliasing have significant security implications so it might
make sense to mention this one too.
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project