Hey folks, I just recently began planning the deployment of FreeIPA and have successfully made several test setups. Next step would be to integrate this in our new datacenter; so we are starting there from scratch.
I understand HA on the server side. What boogles my head is HA on the *client* side. For example: Our pfsenses use a LDAP lookup against a single FQDN, and the cert must be valid (against any provided CA). Exporting the CA from freeIPA and importing that in pfsense is a cake. But what do I point the clients towards? Let's say I have 4 FreeIPA servers: - ipa01.auth.dc-01.company.com - ipa02.auth.dc-01.company.com - ipa03.auth.dc-01.company.com - ipa04.auth.dc-01.company.com Realm company.com, Kerberos COMPANY.COM. If I point the pfsense (I'll stick to that as an example) against ipa01.auth.dc-01.company.com and this server is offline, then no HA is given. DNS Delegation might yield *any* of the four servers, including the one offline, so a 25% fault chance in there. Second question, same area: If I want my users to have one single url for the FreeIPA webservice, like auth.company.com that follows the above solution then the self-signed and generated certs do not have this as altname. So summed up: - How can I make (ldap) clients access the current online server(s)? - How can I provide access to the webinterace to the current online server(s)? (Or is this simply by the magic of dns zone delegation and pure faith that always an online server will be hit?) Thanks for any advice! -Christian. -- Christian Reiss - em...@christian-reiss.de /"\ ASCII Ribbon supp...@alpha-labs.net \ / Campaign X against HTML WEB alpha-labs.net / \ in eMails GPG Retrieval https://gpg.christian-reiss.de GPG ID ABCD43C5, 0x44E29126ABCD43C5 GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5 "It's better to reign in hell than to serve in heaven.", John Milton, Paradise lost.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org