On 04/05/2015 11:55 AM, Simo Sorce wrote:
I wrote a blog post to clarify a little bit how load balancers and
Kerberos interact: https://ssimo.org/blog/id_019.html


Nice article!
Thanks for clarifying it.

However the proxy case has also another option that is not mentioned.
Proxy can terminate the connection but can use s4u2proxy to connect to real servers. Of cause this would mean that LB can impersonate anyone (which is definitely not good) but most of the solutions in the list except for aliasing have significant security implications so it might make sense to mention this one too.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to