[Freeipa-users] HA Client Question

Mon, 17 Jun 2019 01:04:01 -0700 

Hey folks,

I just recently began planning the deployment of FreeIPA and have
successfully made several test setups.  Next step would be to integrate
this in our new datacenter; so we are starting there from scratch.

I understand HA on the server side. What boogles my head is HA on the
*client* side.

For example: Our pfsenses use a LDAP lookup against a single FQDN, and
the cert must be valid (against any provided CA). Exporting the CA from
freeIPA and importing that in pfsense is a cake.

But what do I point the clients towards? Let's say I have 4 FreeIPA servers:

- ipa01.auth.dc-01.company.com
- ipa02.auth.dc-01.company.com
- ipa03.auth.dc-01.company.com
- ipa04.auth.dc-01.company.com

Realm company.com, Kerberos COMPANY.COM. If I point the pfsense (I'll
stick to that as an example) against ipa01.auth.dc-01.company.com and
this server is offline, then no HA is given. DNS Delegation might yield
*any* of the four servers, including the one offline, so a 25% fault
chance in there.

Second question, same area: If I want my users to have one single url
for the FreeIPA webservice, like auth.company.com that follows the above
solution then the self-signed and generated certs do not have this as
altname.


So summed up:

 - How can I make (ldap) clients access the current online server(s)?
 - How can I provide access to the webinterace to the current online
server(s)?


(Or is this simply by the magic of dns zone delegation and pure faith
that always an online server will be hit?)

Thanks for any advice!
-Christian.

-- 
 Christian Reiss - em...@christian-reiss.de         /"\  ASCII Ribbon
                   supp...@alpha-labs.net           \ /    Campaign
                                                     X   against HTML
 WEB alpha-labs.net                                 / \   in eMails

 GPG Retrieval https://gpg.christian-reiss.de
 GPG ID ABCD43C5, 0x44E29126ABCD43C5
 GPG fingerprint = 9549 F537 2596 86BA 733C  A4ED 44E2 9126 ABCD 43C5

 "It's better to reign in hell than to serve in heaven.",
                                          John Milton, Paradise lost.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to