Re: [Freeipa-users] subjectAlternitiveName for webservice
Rob, I just saw your message on IRC from a couple of hours ago... timedifference ;) Thanks, Matt 2015-03-28 10:17 GMT+01:00 Matt . yamakasi@gmail.com: Rob, As I was responding a little bit late last night, the following come to mind. As you say I need to request my cert with two names, how do you mean ? I'm using curl at the moment so figuring that out. As the same issues happens in the GUI itself I think this might be a problem. When I access ldap-01 directly it complains @ the services tab on some servicehosts that are in there, and some not. I think this is not a simple PTR or A record fix, I'm curious how to do. Cheers, Matt 2015-03-27 18:57 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: I'm almost there but what happens when I regenerate a certificate for the ldap server I get the following when I visit it through the loadbalancer: no alternative certificate subject name matches target host name 'ldap-01.domain' I think this is strange as the certificate shows the ldap under the altnames for HTTP/ldap-01 but there is indeed no ldap-01 as altname but only on the certificate itself. It turns out that NSS implements cert checking very strictly following RFC 2818 while OpenSSL is a bit more lax about it. The RFC states that if there is a subjectAltName then only that is used to validate the hostname. And in fact, it discourages using the subject at all and ONLY relying on the subjectAltName, though it does recognize that it is current practice (and was that way in 2000 as well). So you need to request your new cert with TWO names: the host name and the alternate name. That should make the cert work anyway. rob 2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: HI Rob, Yes something is wrong there I guess. In any case, it doesn't apply to what you're trying to do. But still, I actually need to add a SAN to the webserver cert, which is different I think than the services at least. So the question there is... how ? What webserver cert? Are you trying to load balance the IPA services via DNS? Not knowing what you want, I'm just answering what you are ASKING. That is not the same as giving a proper answer. I have the feeling you want to load balance IPA in general which isn't going to work without a ton of (ongoing) manual effort. Even Microsoft recommends against trying this in its AD environment: http://support.microsoft.com/en-us/kb/325608 In any case, the instructions I've already provided still apply. If you want to replace the Apache webserver cert you'll just need to do a couple of things first which has the potential of completely breaking IPA, so you'll need to be careful. Before you do anything, backup *.db in /etc/httpd/alias. Stop tracking the Apache cert in certmonger: # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert Delete the existing cert: # certutil -D -d /etc/httpd/alias -n Server-Cert Like I said, destructive. Finally use certmonger to get a new cert that includes a SAN. The syntax is slightly different than before, mostly because I'm just guessing in the dark because you aren't including enough details into what you're trying. # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt In this case the IPA server is ipa1.example.com and you're creating a SAN for ipa.example.com. Restart httpd. Note that this doesn't solve the Kerberos problem so cli access will still not work as expected. The UI _might_ work using forms-based authentication. I'd strongly urge you to think about the top of this e-mail before proceeding onto the bottom. rob Cheers, Matt 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: When digging around I see this documentation: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html I would except that server.example.com is not going to be accepted by IPA when you visit the webgui like that ? These are SRV records for the ldap service. Think of it as discovery for who provides ldap service in the domain. It isn't something used by a web browser. I'm no DNS expert (by far) but this example looks a little wonky. I'd think it should be example.com and not server.example.com. But in any case it is irrelevant to a browser. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
Rob, As I was responding a little bit late last night, the following come to mind. As you say I need to request my cert with two names, how do you mean ? I'm using curl at the moment so figuring that out. As the same issues happens in the GUI itself I think this might be a problem. When I access ldap-01 directly it complains @ the services tab on some servicehosts that are in there, and some not. I think this is not a simple PTR or A record fix, I'm curious how to do. Cheers, Matt 2015-03-27 18:57 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: I'm almost there but what happens when I regenerate a certificate for the ldap server I get the following when I visit it through the loadbalancer: no alternative certificate subject name matches target host name 'ldap-01.domain' I think this is strange as the certificate shows the ldap under the altnames for HTTP/ldap-01 but there is indeed no ldap-01 as altname but only on the certificate itself. It turns out that NSS implements cert checking very strictly following RFC 2818 while OpenSSL is a bit more lax about it. The RFC states that if there is a subjectAltName then only that is used to validate the hostname. And in fact, it discourages using the subject at all and ONLY relying on the subjectAltName, though it does recognize that it is current practice (and was that way in 2000 as well). So you need to request your new cert with TWO names: the host name and the alternate name. That should make the cert work anyway. rob 2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: HI Rob, Yes something is wrong there I guess. In any case, it doesn't apply to what you're trying to do. But still, I actually need to add a SAN to the webserver cert, which is different I think than the services at least. So the question there is... how ? What webserver cert? Are you trying to load balance the IPA services via DNS? Not knowing what you want, I'm just answering what you are ASKING. That is not the same as giving a proper answer. I have the feeling you want to load balance IPA in general which isn't going to work without a ton of (ongoing) manual effort. Even Microsoft recommends against trying this in its AD environment: http://support.microsoft.com/en-us/kb/325608 In any case, the instructions I've already provided still apply. If you want to replace the Apache webserver cert you'll just need to do a couple of things first which has the potential of completely breaking IPA, so you'll need to be careful. Before you do anything, backup *.db in /etc/httpd/alias. Stop tracking the Apache cert in certmonger: # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert Delete the existing cert: # certutil -D -d /etc/httpd/alias -n Server-Cert Like I said, destructive. Finally use certmonger to get a new cert that includes a SAN. The syntax is slightly different than before, mostly because I'm just guessing in the dark because you aren't including enough details into what you're trying. # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt In this case the IPA server is ipa1.example.com and you're creating a SAN for ipa.example.com. Restart httpd. Note that this doesn't solve the Kerberos problem so cli access will still not work as expected. The UI _might_ work using forms-based authentication. I'd strongly urge you to think about the top of this e-mail before proceeding onto the bottom. rob Cheers, Matt 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: When digging around I see this documentation: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html I would except that server.example.com is not going to be accepted by IPA when you visit the webgui like that ? These are SRV records for the ldap service. Think of it as discovery for who provides ldap service in the domain. It isn't something used by a web browser. I'm no DNS expert (by far) but this example looks a little wonky. I'd think it should be example.com and not server.example.com. But in any case it is irrelevant to a browser. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
I'm almost there but what happens when I regenerate a certificate for the ldap server I get the following when I visit it through the loadbalancer: no alternative certificate subject name matches target host name 'ldap-01.domain' I think this is strange as the certificate shows the ldap under the altnames for HTTP/ldap-01 but there is indeed no ldap-01 as altname but only on the certificate itself. 2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: HI Rob, Yes something is wrong there I guess. In any case, it doesn't apply to what you're trying to do. But still, I actually need to add a SAN to the webserver cert, which is different I think than the services at least. So the question there is... how ? What webserver cert? Are you trying to load balance the IPA services via DNS? Not knowing what you want, I'm just answering what you are ASKING. That is not the same as giving a proper answer. I have the feeling you want to load balance IPA in general which isn't going to work without a ton of (ongoing) manual effort. Even Microsoft recommends against trying this in its AD environment: http://support.microsoft.com/en-us/kb/325608 In any case, the instructions I've already provided still apply. If you want to replace the Apache webserver cert you'll just need to do a couple of things first which has the potential of completely breaking IPA, so you'll need to be careful. Before you do anything, backup *.db in /etc/httpd/alias. Stop tracking the Apache cert in certmonger: # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert Delete the existing cert: # certutil -D -d /etc/httpd/alias -n Server-Cert Like I said, destructive. Finally use certmonger to get a new cert that includes a SAN. The syntax is slightly different than before, mostly because I'm just guessing in the dark because you aren't including enough details into what you're trying. # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt In this case the IPA server is ipa1.example.com and you're creating a SAN for ipa.example.com. Restart httpd. Note that this doesn't solve the Kerberos problem so cli access will still not work as expected. The UI _might_ work using forms-based authentication. I'd strongly urge you to think about the top of this e-mail before proceeding onto the bottom. rob Cheers, Matt 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: When digging around I see this documentation: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html I would except that server.example.com is not going to be accepted by IPA when you visit the webgui like that ? These are SRV records for the ldap service. Think of it as discovery for who provides ldap service in the domain. It isn't something used by a web browser. I'm no DNS expert (by far) but this example looks a little wonky. I'd think it should be example.com and not server.example.com. But in any case it is irrelevant to a browser. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
Matt . wrote: I'm almost there but what happens when I regenerate a certificate for the ldap server I get the following when I visit it through the loadbalancer: no alternative certificate subject name matches target host name 'ldap-01.domain' I think this is strange as the certificate shows the ldap under the altnames for HTTP/ldap-01 but there is indeed no ldap-01 as altname but only on the certificate itself. It turns out that NSS implements cert checking very strictly following RFC 2818 while OpenSSL is a bit more lax about it. The RFC states that if there is a subjectAltName then only that is used to validate the hostname. And in fact, it discourages using the subject at all and ONLY relying on the subjectAltName, though it does recognize that it is current practice (and was that way in 2000 as well). So you need to request your new cert with TWO names: the host name and the alternate name. That should make the cert work anyway. rob 2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: HI Rob, Yes something is wrong there I guess. In any case, it doesn't apply to what you're trying to do. But still, I actually need to add a SAN to the webserver cert, which is different I think than the services at least. So the question there is... how ? What webserver cert? Are you trying to load balance the IPA services via DNS? Not knowing what you want, I'm just answering what you are ASKING. That is not the same as giving a proper answer. I have the feeling you want to load balance IPA in general which isn't going to work without a ton of (ongoing) manual effort. Even Microsoft recommends against trying this in its AD environment: http://support.microsoft.com/en-us/kb/325608 In any case, the instructions I've already provided still apply. If you want to replace the Apache webserver cert you'll just need to do a couple of things first which has the potential of completely breaking IPA, so you'll need to be careful. Before you do anything, backup *.db in /etc/httpd/alias. Stop tracking the Apache cert in certmonger: # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert Delete the existing cert: # certutil -D -d /etc/httpd/alias -n Server-Cert Like I said, destructive. Finally use certmonger to get a new cert that includes a SAN. The syntax is slightly different than before, mostly because I'm just guessing in the dark because you aren't including enough details into what you're trying. # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt In this case the IPA server is ipa1.example.com and you're creating a SAN for ipa.example.com. Restart httpd. Note that this doesn't solve the Kerberos problem so cli access will still not work as expected. The UI _might_ work using forms-based authentication. I'd strongly urge you to think about the top of this e-mail before proceeding onto the bottom. rob Cheers, Matt 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: When digging around I see this documentation: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html I would except that server.example.com is not going to be accepted by IPA when you visit the webgui like that ? These are SRV records for the ldap service. Think of it as discovery for who provides ldap service in the domain. It isn't something used by a web browser. I'm no DNS expert (by far) but this example looks a little wonky. I'd think it should be example.com and not server.example.com. But in any case it is irrelevant to a browser. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
Hi Rob, Thanks for the explanation. I understand your solution, I just thought that was the dirty way :) Thanks for your effort! Cheers, Matt 2015-03-27 18:57 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: I'm almost there but what happens when I regenerate a certificate for the ldap server I get the following when I visit it through the loadbalancer: no alternative certificate subject name matches target host name 'ldap-01.domain' I think this is strange as the certificate shows the ldap under the altnames for HTTP/ldap-01 but there is indeed no ldap-01 as altname but only on the certificate itself. It turns out that NSS implements cert checking very strictly following RFC 2818 while OpenSSL is a bit more lax about it. The RFC states that if there is a subjectAltName then only that is used to validate the hostname. And in fact, it discourages using the subject at all and ONLY relying on the subjectAltName, though it does recognize that it is current practice (and was that way in 2000 as well). So you need to request your new cert with TWO names: the host name and the alternate name. That should make the cert work anyway. rob 2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: HI Rob, Yes something is wrong there I guess. In any case, it doesn't apply to what you're trying to do. But still, I actually need to add a SAN to the webserver cert, which is different I think than the services at least. So the question there is... how ? What webserver cert? Are you trying to load balance the IPA services via DNS? Not knowing what you want, I'm just answering what you are ASKING. That is not the same as giving a proper answer. I have the feeling you want to load balance IPA in general which isn't going to work without a ton of (ongoing) manual effort. Even Microsoft recommends against trying this in its AD environment: http://support.microsoft.com/en-us/kb/325608 In any case, the instructions I've already provided still apply. If you want to replace the Apache webserver cert you'll just need to do a couple of things first which has the potential of completely breaking IPA, so you'll need to be careful. Before you do anything, backup *.db in /etc/httpd/alias. Stop tracking the Apache cert in certmonger: # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert Delete the existing cert: # certutil -D -d /etc/httpd/alias -n Server-Cert Like I said, destructive. Finally use certmonger to get a new cert that includes a SAN. The syntax is slightly different than before, mostly because I'm just guessing in the dark because you aren't including enough details into what you're trying. # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt In this case the IPA server is ipa1.example.com and you're creating a SAN for ipa.example.com. Restart httpd. Note that this doesn't solve the Kerberos problem so cli access will still not work as expected. The UI _might_ work using forms-based authentication. I'd strongly urge you to think about the top of this e-mail before proceeding onto the bottom. rob Cheers, Matt 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: When digging around I see this documentation: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html I would except that server.example.com is not going to be accepted by IPA when you visit the webgui like that ? These are SRV records for the ldap service. Think of it as discovery for who provides ldap service in the domain. It isn't something used by a web browser. I'm no DNS expert (by far) but this example looks a little wonky. I'd think it should be example.com and not server.example.com. But in any case it is irrelevant to a browser. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
When digging around I see this documentation: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html I would except that server.example.com is not going to be accepted by IPA when you visit the webgui like that ? 2015-03-26 1:57 GMT+01:00 Matt . yamakasi@gmail.com: OK, quite clear but I think that is not going to help me, if you ask me, I might be wrong here as this is what I get: # wget https://ldap.mydomain.tld/ipa/json --2015-03-26 01:22:51-- https://ldap.mydomain.tld/ipa/json Resolving ldap.mydomain.tld (ldap.mydomain.tld)... 10.100.0.250 Connecting to ldap.mydomain.tld (ldap.mydomain.tld)|10.100.0.250|:443... connected. ERROR: cannot verify ldap.mydomain.tld's certificate, issued by '/O=MYDOMAIN.TLD/CN=Certificate Authority': Self-signed certificate encountered. ERROR: certificate common name 'ldap-01.mydomain.tld' doesn't match requested host name 'ldap.mydomain.tld'. To connect to ldap.mydomain.tld insecurely, use `--no-check-certificate'. (I used the gui that actually worked quite OK following the docs, tried your version also but got stuck as I did it on the IPA server, need to recheck that) I think this happens because I use the ca.crt from /etc/ipa/ca.crt and the one I generated in the same file. I need to have them both in my curl certificate. I might be wrong here, but this is where I'm at. Thanks again for your patience. Matt 2015-03-20 15:39 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: The right way to sequest a SAN, this seems to need some extra config file ? Like I said before, use certmonger, it makes life easier. I'll create a new host balancer.example.com with a HTTP service. I'll generate a cert with a SAN for idp.example.com in that service. I'm generating the cert on idp.example.com, hence the service-add-host bit. On 4.1 (freeipa-server-4.1.3-2.fc22.x86_64) # kinit admin # ipa host-add balancer.example.com # ipa service-add HTTP/balancer.example.com --force # ipa service-add-host --hosts=idp.example.com HTTP/balancer.example.com # ipa-getcert request -f /etc/pki/tls/certs/balancer.pem -k /etc/pki/tls/private/balancer.key -N CN=balancer.example.com -K HTTP/balancer.example.com -D idp.example.com # getcert list -i id until it goes to MONITORING # openssl x509 -text -in /etc/pki/tls/certs/balancer.pem Certificate: Data: Version: 3 (0x2) Serial Number: 11 (0xb) Signature Algorithm: sha256WithRSAEncryption Issuer: O=EXAMPLE.COM, CN=Certificate Authority Validity Not Before: Mar 20 14:29:33 2015 GMT Not After : Mar 20 14:29:33 2017 GMT Subject: O=EXAMPLE.COM, CN=balancer.example.com [SNIP] X509v3 extensions: [SNIP] X509v3 Subject Alternative Name: DNS:idp.example.com, othername:unsupported, othername:unsupported [SNIP] SAN was definitely not supported in 3.0. Not sure about 3.3, should work in 4.0+. rob 2015-03-19 15:04 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Isn't this documented well (yet) ? Is what documented yet? rob The RH docs are always very detailed about it, but I'm not sure here... I see solutions but not 100% from A to Z to make sure we do it the proper way. 2015-03-12 16:59 GMT+01:00 Matt . yamakasi@gmail.com: Not worried, I need to try. I think it's not an issue as we use persistance for the connection. We only do some user adding/chaging stuff, nothing really fancy but it needs to be decent. As persistence comes in I think we don't have to worry about it, we discussed that here earlier as I remember. Or do I ? Something else; did you had a nice PTO ? 2015-03-12 15:54 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Hi, Security wise I can understand that. Yes I have read about that... but that would let me use the loadbalancer to connect ? I was not sure if the SAN would connect as other host. Kerberos through a load balancer can be a problem. Is this what you're worried about? rob 2015-03-12 15:07 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Hi Guys, Is Rob able to look at this ? I hope he has some sparetime as I'm kinda stuck with this issue. Wildcard certs are not supported. You can request a SAN with certmonger using -D FQDN. That will work with IPA 4.x for sure, maybe 3.3.5. rob Thanks! 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com: I'm reviewing some things. When I'm using a loadbalancer, which I prefer in this setup I need to have the same certificates on both servers. Maybe a wildcard for my domain could do instead of having only both fqdn's of the servers including the loadbalancer's fqdn. But the question remains, how? 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com: Hi, I will balance with IP persistance so I think there won't be any mixing as long as that used server is online.
Re: [Freeipa-users] subjectAlternitiveName for webservice
Matt . wrote: When digging around I see this documentation: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html I would except that server.example.com is not going to be accepted by IPA when you visit the webgui like that ? These are SRV records for the ldap service. Think of it as discovery for who provides ldap service in the domain. It isn't something used by a web browser. I'm no DNS expert (by far) but this example looks a little wonky. I'd think it should be example.com and not server.example.com. But in any case it is irrelevant to a browser. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
HI Rob, Yes something is wrong there I guess. But still, I actually need to add a SAN to the webserver cert, which is different I think than the services at least. So the question there is... how ? Cheers, Matt 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: When digging around I see this documentation: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html I would except that server.example.com is not going to be accepted by IPA when you visit the webgui like that ? These are SRV records for the ldap service. Think of it as discovery for who provides ldap service in the domain. It isn't something used by a web browser. I'm no DNS expert (by far) but this example looks a little wonky. I'd think it should be example.com and not server.example.com. But in any case it is irrelevant to a browser. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
Hi Rob, Thank you very much! I think this will work out as it's only https traffic. I will report back! Thanks a lot! Matt 2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: HI Rob, Yes something is wrong there I guess. In any case, it doesn't apply to what you're trying to do. But still, I actually need to add a SAN to the webserver cert, which is different I think than the services at least. So the question there is... how ? What webserver cert? Are you trying to load balance the IPA services via DNS? Not knowing what you want, I'm just answering what you are ASKING. That is not the same as giving a proper answer. I have the feeling you want to load balance IPA in general which isn't going to work without a ton of (ongoing) manual effort. Even Microsoft recommends against trying this in its AD environment: http://support.microsoft.com/en-us/kb/325608 In any case, the instructions I've already provided still apply. If you want to replace the Apache webserver cert you'll just need to do a couple of things first which has the potential of completely breaking IPA, so you'll need to be careful. Before you do anything, backup *.db in /etc/httpd/alias. Stop tracking the Apache cert in certmonger: # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert Delete the existing cert: # certutil -D -d /etc/httpd/alias -n Server-Cert Like I said, destructive. Finally use certmonger to get a new cert that includes a SAN. The syntax is slightly different than before, mostly because I'm just guessing in the dark because you aren't including enough details into what you're trying. # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt In this case the IPA server is ipa1.example.com and you're creating a SAN for ipa.example.com. Restart httpd. Note that this doesn't solve the Kerberos problem so cli access will still not work as expected. The UI _might_ work using forms-based authentication. I'd strongly urge you to think about the top of this e-mail before proceeding onto the bottom. rob Cheers, Matt 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: When digging around I see this documentation: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html I would except that server.example.com is not going to be accepted by IPA when you visit the webgui like that ? These are SRV records for the ldap service. Think of it as discovery for who provides ldap service in the domain. It isn't something used by a web browser. I'm no DNS expert (by far) but this example looks a little wonky. I'd think it should be example.com and not server.example.com. But in any case it is irrelevant to a browser. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
Hi, This should be it and worked for generating the cert with the altname ldap.domain.tld When I login and I go to services I get the following: cannot connect to 'https://ldap-01.domain.tld:443/ca/agent/ca/displayBySerial': (SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely with peer: requested domain name does not match the server's certificate. So I'm a little bit confused here as the certificate contains both hostnames. A simple wget says the ldap-01 doesn't exist also: https://ldap-01.domain.tld/ipa/json Connecting to ldap-01.domain.tld (ldap-01.domain.tld)|10.100.0.251|:443... connected. ERROR: no certificate subject alternative name matches requested host name 'ldap-01.domain.tld'. To connect to ldap-01.domain.tld insecurely, use `--no-check-certificate'. 2015-03-26 20:43 GMT+01:00 Matt . yamakasi@gmail.com: Hi Rob, Thank you very much! I think this will work out as it's only https traffic. I will report back! Thanks a lot! Matt 2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: HI Rob, Yes something is wrong there I guess. In any case, it doesn't apply to what you're trying to do. But still, I actually need to add a SAN to the webserver cert, which is different I think than the services at least. So the question there is... how ? What webserver cert? Are you trying to load balance the IPA services via DNS? Not knowing what you want, I'm just answering what you are ASKING. That is not the same as giving a proper answer. I have the feeling you want to load balance IPA in general which isn't going to work without a ton of (ongoing) manual effort. Even Microsoft recommends against trying this in its AD environment: http://support.microsoft.com/en-us/kb/325608 In any case, the instructions I've already provided still apply. If you want to replace the Apache webserver cert you'll just need to do a couple of things first which has the potential of completely breaking IPA, so you'll need to be careful. Before you do anything, backup *.db in /etc/httpd/alias. Stop tracking the Apache cert in certmonger: # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert Delete the existing cert: # certutil -D -d /etc/httpd/alias -n Server-Cert Like I said, destructive. Finally use certmonger to get a new cert that includes a SAN. The syntax is slightly different than before, mostly because I'm just guessing in the dark because you aren't including enough details into what you're trying. # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt In this case the IPA server is ipa1.example.com and you're creating a SAN for ipa.example.com. Restart httpd. Note that this doesn't solve the Kerberos problem so cli access will still not work as expected. The UI _might_ work using forms-based authentication. I'd strongly urge you to think about the top of this e-mail before proceeding onto the bottom. rob Cheers, Matt 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: When digging around I see this documentation: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html I would except that server.example.com is not going to be accepted by IPA when you visit the webgui like that ? These are SRV records for the ldap service. Think of it as discovery for who provides ldap service in the domain. It isn't something used by a web browser. I'm no DNS expert (by far) but this example looks a little wonky. I'd think it should be example.com and not server.example.com. But in any case it is irrelevant to a browser. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
OK some new update: When I do a curl -k https://ldap.domain.tld/ipa/config/ca.crt I get a 301 to https://ldap-01.core.prod.msp.cullie.local/ipa/config/ca.crt But when I visit the https://ldap.domain.tld/ipa/config/ca.crt with my browser it just works fine. 2015-03-26 22:11 GMT+01:00 Matt . yamakasi@gmail.com: Hi, This should be it and worked for generating the cert with the altname ldap.domain.tld When I login and I go to services I get the following: cannot connect to 'https://ldap-01.domain.tld:443/ca/agent/ca/displayBySerial': (SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely with peer: requested domain name does not match the server's certificate. So I'm a little bit confused here as the certificate contains both hostnames. A simple wget says the ldap-01 doesn't exist also: https://ldap-01.domain.tld/ipa/json Connecting to ldap-01.domain.tld (ldap-01.domain.tld)|10.100.0.251|:443... connected. ERROR: no certificate subject alternative name matches requested host name 'ldap-01.domain.tld'. To connect to ldap-01.domain.tld insecurely, use `--no-check-certificate'. 2015-03-26 20:43 GMT+01:00 Matt . yamakasi@gmail.com: Hi Rob, Thank you very much! I think this will work out as it's only https traffic. I will report back! Thanks a lot! Matt 2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: HI Rob, Yes something is wrong there I guess. In any case, it doesn't apply to what you're trying to do. But still, I actually need to add a SAN to the webserver cert, which is different I think than the services at least. So the question there is... how ? What webserver cert? Are you trying to load balance the IPA services via DNS? Not knowing what you want, I'm just answering what you are ASKING. That is not the same as giving a proper answer. I have the feeling you want to load balance IPA in general which isn't going to work without a ton of (ongoing) manual effort. Even Microsoft recommends against trying this in its AD environment: http://support.microsoft.com/en-us/kb/325608 In any case, the instructions I've already provided still apply. If you want to replace the Apache webserver cert you'll just need to do a couple of things first which has the potential of completely breaking IPA, so you'll need to be careful. Before you do anything, backup *.db in /etc/httpd/alias. Stop tracking the Apache cert in certmonger: # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert Delete the existing cert: # certutil -D -d /etc/httpd/alias -n Server-Cert Like I said, destructive. Finally use certmonger to get a new cert that includes a SAN. The syntax is slightly different than before, mostly because I'm just guessing in the dark because you aren't including enough details into what you're trying. # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt In this case the IPA server is ipa1.example.com and you're creating a SAN for ipa.example.com. Restart httpd. Note that this doesn't solve the Kerberos problem so cli access will still not work as expected. The UI _might_ work using forms-based authentication. I'd strongly urge you to think about the top of this e-mail before proceeding onto the bottom. rob Cheers, Matt 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: When digging around I see this documentation: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html I would except that server.example.com is not going to be accepted by IPA when you visit the webgui like that ? These are SRV records for the ldap service. Think of it as discovery for who provides ldap service in the domain. It isn't something used by a web browser. I'm no DNS expert (by far) but this example looks a little wonky. I'd think it should be example.com and not server.example.com. But in any case it is irrelevant to a browser. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
Matt . wrote: HI Rob, Yes something is wrong there I guess. In any case, it doesn't apply to what you're trying to do. But still, I actually need to add a SAN to the webserver cert, which is different I think than the services at least. So the question there is... how ? What webserver cert? Are you trying to load balance the IPA services via DNS? Not knowing what you want, I'm just answering what you are ASKING. That is not the same as giving a proper answer. I have the feeling you want to load balance IPA in general which isn't going to work without a ton of (ongoing) manual effort. Even Microsoft recommends against trying this in its AD environment: http://support.microsoft.com/en-us/kb/325608 In any case, the instructions I've already provided still apply. If you want to replace the Apache webserver cert you'll just need to do a couple of things first which has the potential of completely breaking IPA, so you'll need to be careful. Before you do anything, backup *.db in /etc/httpd/alias. Stop tracking the Apache cert in certmonger: # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert Delete the existing cert: # certutil -D -d /etc/httpd/alias -n Server-Cert Like I said, destructive. Finally use certmonger to get a new cert that includes a SAN. The syntax is slightly different than before, mostly because I'm just guessing in the dark because you aren't including enough details into what you're trying. # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt In this case the IPA server is ipa1.example.com and you're creating a SAN for ipa.example.com. Restart httpd. Note that this doesn't solve the Kerberos problem so cli access will still not work as expected. The UI _might_ work using forms-based authentication. I'd strongly urge you to think about the top of this e-mail before proceeding onto the bottom. rob Cheers, Matt 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: When digging around I see this documentation: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html I would except that server.example.com is not going to be accepted by IPA when you visit the webgui like that ? These are SRV records for the ldap service. Think of it as discovery for who provides ldap service in the domain. It isn't something used by a web browser. I'm no DNS expert (by far) but this example looks a little wonky. I'd think it should be example.com and not server.example.com. But in any case it is irrelevant to a browser. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
OK, quite clear but I think that is not going to help me, if you ask me, I might be wrong here as this is what I get: # wget https://ldap.mydomain.tld/ipa/json --2015-03-26 01:22:51-- https://ldap.mydomain.tld/ipa/json Resolving ldap.mydomain.tld (ldap.mydomain.tld)... 10.100.0.250 Connecting to ldap.mydomain.tld (ldap.mydomain.tld)|10.100.0.250|:443... connected. ERROR: cannot verify ldap.mydomain.tld's certificate, issued by '/O=MYDOMAIN.TLD/CN=Certificate Authority': Self-signed certificate encountered. ERROR: certificate common name 'ldap-01.mydomain.tld' doesn't match requested host name 'ldap.mydomain.tld'. To connect to ldap.mydomain.tld insecurely, use `--no-check-certificate'. (I used the gui that actually worked quite OK following the docs, tried your version also but got stuck as I did it on the IPA server, need to recheck that) I think this happens because I use the ca.crt from /etc/ipa/ca.crt and the one I generated in the same file. I need to have them both in my curl certificate. I might be wrong here, but this is where I'm at. Thanks again for your patience. Matt 2015-03-20 15:39 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: The right way to sequest a SAN, this seems to need some extra config file ? Like I said before, use certmonger, it makes life easier. I'll create a new host balancer.example.com with a HTTP service. I'll generate a cert with a SAN for idp.example.com in that service. I'm generating the cert on idp.example.com, hence the service-add-host bit. On 4.1 (freeipa-server-4.1.3-2.fc22.x86_64) # kinit admin # ipa host-add balancer.example.com # ipa service-add HTTP/balancer.example.com --force # ipa service-add-host --hosts=idp.example.com HTTP/balancer.example.com # ipa-getcert request -f /etc/pki/tls/certs/balancer.pem -k /etc/pki/tls/private/balancer.key -N CN=balancer.example.com -K HTTP/balancer.example.com -D idp.example.com # getcert list -i id until it goes to MONITORING # openssl x509 -text -in /etc/pki/tls/certs/balancer.pem Certificate: Data: Version: 3 (0x2) Serial Number: 11 (0xb) Signature Algorithm: sha256WithRSAEncryption Issuer: O=EXAMPLE.COM, CN=Certificate Authority Validity Not Before: Mar 20 14:29:33 2015 GMT Not After : Mar 20 14:29:33 2017 GMT Subject: O=EXAMPLE.COM, CN=balancer.example.com [SNIP] X509v3 extensions: [SNIP] X509v3 Subject Alternative Name: DNS:idp.example.com, othername:unsupported, othername:unsupported [SNIP] SAN was definitely not supported in 3.0. Not sure about 3.3, should work in 4.0+. rob 2015-03-19 15:04 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Isn't this documented well (yet) ? Is what documented yet? rob The RH docs are always very detailed about it, but I'm not sure here... I see solutions but not 100% from A to Z to make sure we do it the proper way. 2015-03-12 16:59 GMT+01:00 Matt . yamakasi@gmail.com: Not worried, I need to try. I think it's not an issue as we use persistance for the connection. We only do some user adding/chaging stuff, nothing really fancy but it needs to be decent. As persistence comes in I think we don't have to worry about it, we discussed that here earlier as I remember. Or do I ? Something else; did you had a nice PTO ? 2015-03-12 15:54 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Hi, Security wise I can understand that. Yes I have read about that... but that would let me use the loadbalancer to connect ? I was not sure if the SAN would connect as other host. Kerberos through a load balancer can be a problem. Is this what you're worried about? rob 2015-03-12 15:07 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Hi Guys, Is Rob able to look at this ? I hope he has some sparetime as I'm kinda stuck with this issue. Wildcard certs are not supported. You can request a SAN with certmonger using -D FQDN. That will work with IPA 4.x for sure, maybe 3.3.5. rob Thanks! 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com: I'm reviewing some things. When I'm using a loadbalancer, which I prefer in this setup I need to have the same certificates on both servers. Maybe a wildcard for my domain could do instead of having only both fqdn's of the servers including the loadbalancer's fqdn. But the question remains, how? 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com: Hi, I will balance with IP persistance so I think there won't be any mixing as long as that used server is online. 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 11:05 AM, Matt . wrote: OK, understood. But when a webservice does execute a command (from scripting) to a SVR record and the first is not reacable, would it try to do it again or will handle DNS this in front of it ? I do a kinit against an
Re: [Freeipa-users] subjectAlternitiveName for webservice
Matt . wrote: The right way to sequest a SAN, this seems to need some extra config file ? Like I said before, use certmonger, it makes life easier. I'll create a new host balancer.example.com with a HTTP service. I'll generate a cert with a SAN for idp.example.com in that service. I'm generating the cert on idp.example.com, hence the service-add-host bit. On 4.1 (freeipa-server-4.1.3-2.fc22.x86_64) # kinit admin # ipa host-add balancer.example.com # ipa service-add HTTP/balancer.example.com --force # ipa service-add-host --hosts=idp.example.com HTTP/balancer.example.com # ipa-getcert request -f /etc/pki/tls/certs/balancer.pem -k /etc/pki/tls/private/balancer.key -N CN=balancer.example.com -K HTTP/balancer.example.com -D idp.example.com # getcert list -i id until it goes to MONITORING # openssl x509 -text -in /etc/pki/tls/certs/balancer.pem Certificate: Data: Version: 3 (0x2) Serial Number: 11 (0xb) Signature Algorithm: sha256WithRSAEncryption Issuer: O=EXAMPLE.COM, CN=Certificate Authority Validity Not Before: Mar 20 14:29:33 2015 GMT Not After : Mar 20 14:29:33 2017 GMT Subject: O=EXAMPLE.COM, CN=balancer.example.com [SNIP] X509v3 extensions: [SNIP] X509v3 Subject Alternative Name: DNS:idp.example.com, othername:unsupported, othername:unsupported [SNIP] SAN was definitely not supported in 3.0. Not sure about 3.3, should work in 4.0+. rob 2015-03-19 15:04 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Isn't this documented well (yet) ? Is what documented yet? rob The RH docs are always very detailed about it, but I'm not sure here... I see solutions but not 100% from A to Z to make sure we do it the proper way. 2015-03-12 16:59 GMT+01:00 Matt . yamakasi@gmail.com: Not worried, I need to try. I think it's not an issue as we use persistance for the connection. We only do some user adding/chaging stuff, nothing really fancy but it needs to be decent. As persistence comes in I think we don't have to worry about it, we discussed that here earlier as I remember. Or do I ? Something else; did you had a nice PTO ? 2015-03-12 15:54 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Hi, Security wise I can understand that. Yes I have read about that... but that would let me use the loadbalancer to connect ? I was not sure if the SAN would connect as other host. Kerberos through a load balancer can be a problem. Is this what you're worried about? rob 2015-03-12 15:07 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Hi Guys, Is Rob able to look at this ? I hope he has some sparetime as I'm kinda stuck with this issue. Wildcard certs are not supported. You can request a SAN with certmonger using -D FQDN. That will work with IPA 4.x for sure, maybe 3.3.5. rob Thanks! 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com: I'm reviewing some things. When I'm using a loadbalancer, which I prefer in this setup I need to have the same certificates on both servers. Maybe a wildcard for my domain could do instead of having only both fqdn's of the servers including the loadbalancer's fqdn. But the question remains, how? 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com: Hi, I will balance with IP persistance so I think there won't be any mixing as long as that used server is online. 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 11:05 AM, Matt . wrote: OK, understood. But when a webservice does execute a command (from scripting) to a SVR record and the first is not reacable, would it try to do it again or will handle DNS this in front of it ? I do a kinit against an IPA server using a keytab after I first checked if the user was able to auth himself using his ldap credentials, if so, this kinit exec is fired and I do some CURL stuff to the IPA server. That's why I wanted a loadbalancer, the loadbalancer sees if a server is down and doesn't even try to direct any of the commands to it... I'm not sure if the SRV will handle this well when doing these command from PHP for an example. Building in extra checks in front could be done but it not ideal as a loadbalancer can handle such things much better. OK, this makes things much more clear. Thanks for the explanation. Rob. What is our failover logic for API? For CLI we use a negotiation and then we store a cookie so as long as the whole conversation goes to the same server you should be fine. I do not think you need to re-encrypt the traffic at load balancer and thus have a cert there then if you can enforce the use of the same server in this case. The issue I anticipate is with Kerberos. I think you should not load balance the Kerberos traffic, only the API commands starting with the negotiation. Rob does that make sense for you? Thanks! Cheers, Matt
Re: [Freeipa-users] subjectAlternitiveName for webservice
Isn't this documented well (yet) ? The RH docs are always very detailed about it, but I'm not sure here... I see solutions but not 100% from A to Z to make sure we do it the proper way. 2015-03-12 16:59 GMT+01:00 Matt . yamakasi@gmail.com: Not worried, I need to try. I think it's not an issue as we use persistance for the connection. We only do some user adding/chaging stuff, nothing really fancy but it needs to be decent. As persistence comes in I think we don't have to worry about it, we discussed that here earlier as I remember. Or do I ? Something else; did you had a nice PTO ? 2015-03-12 15:54 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Hi, Security wise I can understand that. Yes I have read about that... but that would let me use the loadbalancer to connect ? I was not sure if the SAN would connect as other host. Kerberos through a load balancer can be a problem. Is this what you're worried about? rob 2015-03-12 15:07 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Hi Guys, Is Rob able to look at this ? I hope he has some sparetime as I'm kinda stuck with this issue. Wildcard certs are not supported. You can request a SAN with certmonger using -D FQDN. That will work with IPA 4.x for sure, maybe 3.3.5. rob Thanks! 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com: I'm reviewing some things. When I'm using a loadbalancer, which I prefer in this setup I need to have the same certificates on both servers. Maybe a wildcard for my domain could do instead of having only both fqdn's of the servers including the loadbalancer's fqdn. But the question remains, how? 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com: Hi, I will balance with IP persistance so I think there won't be any mixing as long as that used server is online. 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 11:05 AM, Matt . wrote: OK, understood. But when a webservice does execute a command (from scripting) to a SVR record and the first is not reacable, would it try to do it again or will handle DNS this in front of it ? I do a kinit against an IPA server using a keytab after I first checked if the user was able to auth himself using his ldap credentials, if so, this kinit exec is fired and I do some CURL stuff to the IPA server. That's why I wanted a loadbalancer, the loadbalancer sees if a server is down and doesn't even try to direct any of the commands to it... I'm not sure if the SRV will handle this well when doing these command from PHP for an example. Building in extra checks in front could be done but it not ideal as a loadbalancer can handle such things much better. OK, this makes things much more clear. Thanks for the explanation. Rob. What is our failover logic for API? For CLI we use a negotiation and then we store a cookie so as long as the whole conversation goes to the same server you should be fine. I do not think you need to re-encrypt the traffic at load balancer and thus have a cert there then if you can enforce the use of the same server in this case. The issue I anticipate is with Kerberos. I think you should not load balance the Kerberos traffic, only the API commands starting with the negotiation. Rob does that make sense for you? Thanks! Cheers, Matt 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 10:24 AM, Matt . wrote: Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? Each entity in Kerberos exchange has its own identity and key. If you send a ticket that is destined to service A instead to service B it would not work unless they share the same keys and identity. Sharinf same keys and identities between the servers just would not work with IPA. Keep in mind that IPA clients and server need to work and fail over if you do not have any load balancers and this is the common case. You are trying to add one where it is really not needed creating overhead for yourself. In that case... I need to add the altnames to the certs, but I'm not 100% there in step 6 Thanks again! Cheers, Matthijs 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:39, Matt . wrote: I have 2 IPA servers where I kinit to and post to the api using curl/json. If we are talking purely about scripting, you can use IPA Python API. It will handle fail over for you even without any load balancer. That would be easiest way. As I need redundancy and don't want to have it script managed, but one central point where I can tal to I use a loadbalancer. Well, if you can control clients then the easiest and most universal way is to use DNS SRV records and add failover logic to clients. That solution works even when servers
Re: [Freeipa-users] subjectAlternitiveName for webservice
The right way to sequest a SAN, this seems to need some extra config file ? 2015-03-19 15:04 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Isn't this documented well (yet) ? Is what documented yet? rob The RH docs are always very detailed about it, but I'm not sure here... I see solutions but not 100% from A to Z to make sure we do it the proper way. 2015-03-12 16:59 GMT+01:00 Matt . yamakasi@gmail.com: Not worried, I need to try. I think it's not an issue as we use persistance for the connection. We only do some user adding/chaging stuff, nothing really fancy but it needs to be decent. As persistence comes in I think we don't have to worry about it, we discussed that here earlier as I remember. Or do I ? Something else; did you had a nice PTO ? 2015-03-12 15:54 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Hi, Security wise I can understand that. Yes I have read about that... but that would let me use the loadbalancer to connect ? I was not sure if the SAN would connect as other host. Kerberos through a load balancer can be a problem. Is this what you're worried about? rob 2015-03-12 15:07 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Hi Guys, Is Rob able to look at this ? I hope he has some sparetime as I'm kinda stuck with this issue. Wildcard certs are not supported. You can request a SAN with certmonger using -D FQDN. That will work with IPA 4.x for sure, maybe 3.3.5. rob Thanks! 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com: I'm reviewing some things. When I'm using a loadbalancer, which I prefer in this setup I need to have the same certificates on both servers. Maybe a wildcard for my domain could do instead of having only both fqdn's of the servers including the loadbalancer's fqdn. But the question remains, how? 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com: Hi, I will balance with IP persistance so I think there won't be any mixing as long as that used server is online. 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 11:05 AM, Matt . wrote: OK, understood. But when a webservice does execute a command (from scripting) to a SVR record and the first is not reacable, would it try to do it again or will handle DNS this in front of it ? I do a kinit against an IPA server using a keytab after I first checked if the user was able to auth himself using his ldap credentials, if so, this kinit exec is fired and I do some CURL stuff to the IPA server. That's why I wanted a loadbalancer, the loadbalancer sees if a server is down and doesn't even try to direct any of the commands to it... I'm not sure if the SRV will handle this well when doing these command from PHP for an example. Building in extra checks in front could be done but it not ideal as a loadbalancer can handle such things much better. OK, this makes things much more clear. Thanks for the explanation. Rob. What is our failover logic for API? For CLI we use a negotiation and then we store a cookie so as long as the whole conversation goes to the same server you should be fine. I do not think you need to re-encrypt the traffic at load balancer and thus have a cert there then if you can enforce the use of the same server in this case. The issue I anticipate is with Kerberos. I think you should not load balance the Kerberos traffic, only the API commands starting with the negotiation. Rob does that make sense for you? Thanks! Cheers, Matt 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 10:24 AM, Matt . wrote: Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? Each entity in Kerberos exchange has its own identity and key. If you send a ticket that is destined to service A instead to service B it would not work unless they share the same keys and identity. Sharinf same keys and identities between the servers just would not work with IPA. Keep in mind that IPA clients and server need to work and fail over if you do not have any load balancers and this is the common case. You are trying to add one where it is really not needed creating overhead for yourself. In that case... I need to add the altnames to the certs, but I'm not 100% there in step 6 Thanks again! Cheers, Matthijs 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:39, Matt . wrote: I have 2 IPA servers where I kinit to and post to the api using curl/json. If we are talking purely about scripting, you can use IPA Python API. It will handle fail over for you even without any load balancer. That would be easiest way. As I need redundancy and don't want to have it script managed, but one central point where I can tal
Re: [Freeipa-users] subjectAlternitiveName for webservice
Matt . wrote: Isn't this documented well (yet) ? Is what documented yet? rob The RH docs are always very detailed about it, but I'm not sure here... I see solutions but not 100% from A to Z to make sure we do it the proper way. 2015-03-12 16:59 GMT+01:00 Matt . yamakasi@gmail.com: Not worried, I need to try. I think it's not an issue as we use persistance for the connection. We only do some user adding/chaging stuff, nothing really fancy but it needs to be decent. As persistence comes in I think we don't have to worry about it, we discussed that here earlier as I remember. Or do I ? Something else; did you had a nice PTO ? 2015-03-12 15:54 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Hi, Security wise I can understand that. Yes I have read about that... but that would let me use the loadbalancer to connect ? I was not sure if the SAN would connect as other host. Kerberos through a load balancer can be a problem. Is this what you're worried about? rob 2015-03-12 15:07 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Hi Guys, Is Rob able to look at this ? I hope he has some sparetime as I'm kinda stuck with this issue. Wildcard certs are not supported. You can request a SAN with certmonger using -D FQDN. That will work with IPA 4.x for sure, maybe 3.3.5. rob Thanks! 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com: I'm reviewing some things. When I'm using a loadbalancer, which I prefer in this setup I need to have the same certificates on both servers. Maybe a wildcard for my domain could do instead of having only both fqdn's of the servers including the loadbalancer's fqdn. But the question remains, how? 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com: Hi, I will balance with IP persistance so I think there won't be any mixing as long as that used server is online. 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 11:05 AM, Matt . wrote: OK, understood. But when a webservice does execute a command (from scripting) to a SVR record and the first is not reacable, would it try to do it again or will handle DNS this in front of it ? I do a kinit against an IPA server using a keytab after I first checked if the user was able to auth himself using his ldap credentials, if so, this kinit exec is fired and I do some CURL stuff to the IPA server. That's why I wanted a loadbalancer, the loadbalancer sees if a server is down and doesn't even try to direct any of the commands to it... I'm not sure if the SRV will handle this well when doing these command from PHP for an example. Building in extra checks in front could be done but it not ideal as a loadbalancer can handle such things much better. OK, this makes things much more clear. Thanks for the explanation. Rob. What is our failover logic for API? For CLI we use a negotiation and then we store a cookie so as long as the whole conversation goes to the same server you should be fine. I do not think you need to re-encrypt the traffic at load balancer and thus have a cert there then if you can enforce the use of the same server in this case. The issue I anticipate is with Kerberos. I think you should not load balance the Kerberos traffic, only the API commands starting with the negotiation. Rob does that make sense for you? Thanks! Cheers, Matt 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 10:24 AM, Matt . wrote: Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? Each entity in Kerberos exchange has its own identity and key. If you send a ticket that is destined to service A instead to service B it would not work unless they share the same keys and identity. Sharinf same keys and identities between the servers just would not work with IPA. Keep in mind that IPA clients and server need to work and fail over if you do not have any load balancers and this is the common case. You are trying to add one where it is really not needed creating overhead for yourself. In that case... I need to add the altnames to the certs, but I'm not 100% there in step 6 Thanks again! Cheers, Matthijs 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:39, Matt . wrote: I have 2 IPA servers where I kinit to and post to the api using curl/json. If we are talking purely about scripting, you can use IPA Python API. It will handle fail over for you even without any load balancer. That would be easiest way. As I need redundancy and don't want to have it script managed, but one central point where I can tal to I use a loadbalancer. Well, if you can control clients then the easiest and most universal way is to use DNS SRV records and add
Re: [Freeipa-users] subjectAlternitiveName for webservice
Matt . wrote: Hi, Security wise I can understand that. Yes I have read about that... but that would let me use the loadbalancer to connect ? I was not sure if the SAN would connect as other host. Kerberos through a load balancer can be a problem. Is this what you're worried about? rob 2015-03-12 15:07 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Hi Guys, Is Rob able to look at this ? I hope he has some sparetime as I'm kinda stuck with this issue. Wildcard certs are not supported. You can request a SAN with certmonger using -D FQDN. That will work with IPA 4.x for sure, maybe 3.3.5. rob Thanks! 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com: I'm reviewing some things. When I'm using a loadbalancer, which I prefer in this setup I need to have the same certificates on both servers. Maybe a wildcard for my domain could do instead of having only both fqdn's of the servers including the loadbalancer's fqdn. But the question remains, how? 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com: Hi, I will balance with IP persistance so I think there won't be any mixing as long as that used server is online. 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 11:05 AM, Matt . wrote: OK, understood. But when a webservice does execute a command (from scripting) to a SVR record and the first is not reacable, would it try to do it again or will handle DNS this in front of it ? I do a kinit against an IPA server using a keytab after I first checked if the user was able to auth himself using his ldap credentials, if so, this kinit exec is fired and I do some CURL stuff to the IPA server. That's why I wanted a loadbalancer, the loadbalancer sees if a server is down and doesn't even try to direct any of the commands to it... I'm not sure if the SRV will handle this well when doing these command from PHP for an example. Building in extra checks in front could be done but it not ideal as a loadbalancer can handle such things much better. OK, this makes things much more clear. Thanks for the explanation. Rob. What is our failover logic for API? For CLI we use a negotiation and then we store a cookie so as long as the whole conversation goes to the same server you should be fine. I do not think you need to re-encrypt the traffic at load balancer and thus have a cert there then if you can enforce the use of the same server in this case. The issue I anticipate is with Kerberos. I think you should not load balance the Kerberos traffic, only the API commands starting with the negotiation. Rob does that make sense for you? Thanks! Cheers, Matt 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 10:24 AM, Matt . wrote: Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? Each entity in Kerberos exchange has its own identity and key. If you send a ticket that is destined to service A instead to service B it would not work unless they share the same keys and identity. Sharinf same keys and identities between the servers just would not work with IPA. Keep in mind that IPA clients and server need to work and fail over if you do not have any load balancers and this is the common case. You are trying to add one where it is really not needed creating overhead for yourself. In that case... I need to add the altnames to the certs, but I'm not 100% there in step 6 Thanks again! Cheers, Matthijs 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:39, Matt . wrote: I have 2 IPA servers where I kinit to and post to the api using curl/json. If we are talking purely about scripting, you can use IPA Python API. It will handle fail over for you even without any load balancer. That would be easiest way. As I need redundancy and don't want to have it script managed, but one central point where I can tal to I use a loadbalancer. Well, if you can control clients then the easiest and most universal way is to use DNS SRV records and add failover logic to clients. That solution works even when servers are geographically distributed/in different networks and does not have single point of failure (the load balancer). As I connect to the loadbalancer using DNAT, so the client IP is known on the IPA server because this is needed for the http service principals I need to add the loadbalancer hostname to my IPA server and make it as an ALT name to it's Certificate. As the users are the same on both servers I would asume i can use a keytab for a user against both servers from my clients. I'm talking about keytabs on the FreeIPA servers - services running on IPA server have their own keytabs too. Every service on every server has own keytab with different key.
Re: [Freeipa-users] subjectAlternitiveName for webservice
Matt . wrote: Hi Guys, Is Rob able to look at this ? I hope he has some sparetime as I'm kinda stuck with this issue. Wildcard certs are not supported. You can request a SAN with certmonger using -D FQDN. That will work with IPA 4.x for sure, maybe 3.3.5. rob Thanks! 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com: I'm reviewing some things. When I'm using a loadbalancer, which I prefer in this setup I need to have the same certificates on both servers. Maybe a wildcard for my domain could do instead of having only both fqdn's of the servers including the loadbalancer's fqdn. But the question remains, how? 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com: Hi, I will balance with IP persistance so I think there won't be any mixing as long as that used server is online. 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 11:05 AM, Matt . wrote: OK, understood. But when a webservice does execute a command (from scripting) to a SVR record and the first is not reacable, would it try to do it again or will handle DNS this in front of it ? I do a kinit against an IPA server using a keytab after I first checked if the user was able to auth himself using his ldap credentials, if so, this kinit exec is fired and I do some CURL stuff to the IPA server. That's why I wanted a loadbalancer, the loadbalancer sees if a server is down and doesn't even try to direct any of the commands to it... I'm not sure if the SRV will handle this well when doing these command from PHP for an example. Building in extra checks in front could be done but it not ideal as a loadbalancer can handle such things much better. OK, this makes things much more clear. Thanks for the explanation. Rob. What is our failover logic for API? For CLI we use a negotiation and then we store a cookie so as long as the whole conversation goes to the same server you should be fine. I do not think you need to re-encrypt the traffic at load balancer and thus have a cert there then if you can enforce the use of the same server in this case. The issue I anticipate is with Kerberos. I think you should not load balance the Kerberos traffic, only the API commands starting with the negotiation. Rob does that make sense for you? Thanks! Cheers, Matt 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 10:24 AM, Matt . wrote: Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? Each entity in Kerberos exchange has its own identity and key. If you send a ticket that is destined to service A instead to service B it would not work unless they share the same keys and identity. Sharinf same keys and identities between the servers just would not work with IPA. Keep in mind that IPA clients and server need to work and fail over if you do not have any load balancers and this is the common case. You are trying to add one where it is really not needed creating overhead for yourself. In that case... I need to add the altnames to the certs, but I'm not 100% there in step 6 Thanks again! Cheers, Matthijs 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:39, Matt . wrote: I have 2 IPA servers where I kinit to and post to the api using curl/json. If we are talking purely about scripting, you can use IPA Python API. It will handle fail over for you even without any load balancer. That would be easiest way. As I need redundancy and don't want to have it script managed, but one central point where I can tal to I use a loadbalancer. Well, if you can control clients then the easiest and most universal way is to use DNS SRV records and add failover logic to clients. That solution works even when servers are geographically distributed/in different networks and does not have single point of failure (the load balancer). As I connect to the loadbalancer using DNAT, so the client IP is known on the IPA server because this is needed for the http service principals I need to add the loadbalancer hostname to my IPA server and make it as an ALT name to it's Certificate. As the users are the same on both servers I would asume i can use a keytab for a user against both servers from my clients. I'm talking about keytabs on the FreeIPA servers - services running on IPA server have their own keytabs too. Every service on every server has own keytab with different key. You need to talk with Simo or some other Kerberos guru about possibility of sharing keytabs between IPA services. Does this make it more clear ? I'm still not sure if you want to have human users too or just API clients. Petr^2 Spacek 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:13, Matt . wrote: Hi, But as the user is the same, I
Re: [Freeipa-users] subjectAlternitiveName for webservice
Hi Guys, Is Rob able to look at this ? I hope he has some sparetime as I'm kinda stuck with this issue. Thanks! 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com: I'm reviewing some things. When I'm using a loadbalancer, which I prefer in this setup I need to have the same certificates on both servers. Maybe a wildcard for my domain could do instead of having only both fqdn's of the servers including the loadbalancer's fqdn. But the question remains, how? 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com: Hi, I will balance with IP persistance so I think there won't be any mixing as long as that used server is online. 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 11:05 AM, Matt . wrote: OK, understood. But when a webservice does execute a command (from scripting) to a SVR record and the first is not reacable, would it try to do it again or will handle DNS this in front of it ? I do a kinit against an IPA server using a keytab after I first checked if the user was able to auth himself using his ldap credentials, if so, this kinit exec is fired and I do some CURL stuff to the IPA server. That's why I wanted a loadbalancer, the loadbalancer sees if a server is down and doesn't even try to direct any of the commands to it... I'm not sure if the SRV will handle this well when doing these command from PHP for an example. Building in extra checks in front could be done but it not ideal as a loadbalancer can handle such things much better. OK, this makes things much more clear. Thanks for the explanation. Rob. What is our failover logic for API? For CLI we use a negotiation and then we store a cookie so as long as the whole conversation goes to the same server you should be fine. I do not think you need to re-encrypt the traffic at load balancer and thus have a cert there then if you can enforce the use of the same server in this case. The issue I anticipate is with Kerberos. I think you should not load balance the Kerberos traffic, only the API commands starting with the negotiation. Rob does that make sense for you? Thanks! Cheers, Matt 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 10:24 AM, Matt . wrote: Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? Each entity in Kerberos exchange has its own identity and key. If you send a ticket that is destined to service A instead to service B it would not work unless they share the same keys and identity. Sharinf same keys and identities between the servers just would not work with IPA. Keep in mind that IPA clients and server need to work and fail over if you do not have any load balancers and this is the common case. You are trying to add one where it is really not needed creating overhead for yourself. In that case... I need to add the altnames to the certs, but I'm not 100% there in step 6 Thanks again! Cheers, Matthijs 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:39, Matt . wrote: I have 2 IPA servers where I kinit to and post to the api using curl/json. If we are talking purely about scripting, you can use IPA Python API. It will handle fail over for you even without any load balancer. That would be easiest way. As I need redundancy and don't want to have it script managed, but one central point where I can tal to I use a loadbalancer. Well, if you can control clients then the easiest and most universal way is to use DNS SRV records and add failover logic to clients. That solution works even when servers are geographically distributed/in different networks and does not have single point of failure (the load balancer). As I connect to the loadbalancer using DNAT, so the client IP is known on the IPA server because this is needed for the http service principals I need to add the loadbalancer hostname to my IPA server and make it as an ALT name to it's Certificate. As the users are the same on both servers I would asume i can use a keytab for a user against both servers from my clients. I'm talking about keytabs on the FreeIPA servers - services running on IPA server have their own keytabs too. Every service on every server has own keytab with different key. You need to talk with Simo or some other Kerberos guru about possibility of sharing keytabs between IPA services. Does this make it more clear ? I'm still not sure if you want to have human users too or just API clients. Petr^2 Spacek 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:13, Matt . wrote: Hi, But as the user is the same, I could use the same keytab for each ipa server ? I need to use the API indeed, so need to issue the http service. Any other options ? I do not really understand your
Re: [Freeipa-users] subjectAlternitiveName for webservice
I'm reviewing some things. When I'm using a loadbalancer, which I prefer in this setup I need to have the same certificates on both servers. Maybe a wildcard for my domain could do instead of having only both fqdn's of the servers including the loadbalancer's fqdn. But the question remains, how? 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com: Hi, I will balance with IP persistance so I think there won't be any mixing as long as that used server is online. 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 11:05 AM, Matt . wrote: OK, understood. But when a webservice does execute a command (from scripting) to a SVR record and the first is not reacable, would it try to do it again or will handle DNS this in front of it ? I do a kinit against an IPA server using a keytab after I first checked if the user was able to auth himself using his ldap credentials, if so, this kinit exec is fired and I do some CURL stuff to the IPA server. That's why I wanted a loadbalancer, the loadbalancer sees if a server is down and doesn't even try to direct any of the commands to it... I'm not sure if the SRV will handle this well when doing these command from PHP for an example. Building in extra checks in front could be done but it not ideal as a loadbalancer can handle such things much better. OK, this makes things much more clear. Thanks for the explanation. Rob. What is our failover logic for API? For CLI we use a negotiation and then we store a cookie so as long as the whole conversation goes to the same server you should be fine. I do not think you need to re-encrypt the traffic at load balancer and thus have a cert there then if you can enforce the use of the same server in this case. The issue I anticipate is with Kerberos. I think you should not load balance the Kerberos traffic, only the API commands starting with the negotiation. Rob does that make sense for you? Thanks! Cheers, Matt 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 10:24 AM, Matt . wrote: Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? Each entity in Kerberos exchange has its own identity and key. If you send a ticket that is destined to service A instead to service B it would not work unless they share the same keys and identity. Sharinf same keys and identities between the servers just would not work with IPA. Keep in mind that IPA clients and server need to work and fail over if you do not have any load balancers and this is the common case. You are trying to add one where it is really not needed creating overhead for yourself. In that case... I need to add the altnames to the certs, but I'm not 100% there in step 6 Thanks again! Cheers, Matthijs 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:39, Matt . wrote: I have 2 IPA servers where I kinit to and post to the api using curl/json. If we are talking purely about scripting, you can use IPA Python API. It will handle fail over for you even without any load balancer. That would be easiest way. As I need redundancy and don't want to have it script managed, but one central point where I can tal to I use a loadbalancer. Well, if you can control clients then the easiest and most universal way is to use DNS SRV records and add failover logic to clients. That solution works even when servers are geographically distributed/in different networks and does not have single point of failure (the load balancer). As I connect to the loadbalancer using DNAT, so the client IP is known on the IPA server because this is needed for the http service principals I need to add the loadbalancer hostname to my IPA server and make it as an ALT name to it's Certificate. As the users are the same on both servers I would asume i can use a keytab for a user against both servers from my clients. I'm talking about keytabs on the FreeIPA servers - services running on IPA server have their own keytabs too. Every service on every server has own keytab with different key. You need to talk with Simo or some other Kerberos guru about possibility of sharing keytabs between IPA services. Does this make it more clear ? I'm still not sure if you want to have human users too or just API clients. Petr^2 Spacek 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:13, Matt . wrote: Hi, But as the user is the same, I could use the same keytab for each ipa server ? I need to use the API indeed, so need to issue the http service. Any other options ? I do not really understand your use case. Could you describe it in detail, please? Petr^2 Spacek 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 14:08, Martin Kosek wrote: I'm
Re: [Freeipa-users] subjectAlternitiveName for webservice
Hi, I will balance with IP persistance so I think there won't be any mixing as long as that used server is online. 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 11:05 AM, Matt . wrote: OK, understood. But when a webservice does execute a command (from scripting) to a SVR record and the first is not reacable, would it try to do it again or will handle DNS this in front of it ? I do a kinit against an IPA server using a keytab after I first checked if the user was able to auth himself using his ldap credentials, if so, this kinit exec is fired and I do some CURL stuff to the IPA server. That's why I wanted a loadbalancer, the loadbalancer sees if a server is down and doesn't even try to direct any of the commands to it... I'm not sure if the SRV will handle this well when doing these command from PHP for an example. Building in extra checks in front could be done but it not ideal as a loadbalancer can handle such things much better. OK, this makes things much more clear. Thanks for the explanation. Rob. What is our failover logic for API? For CLI we use a negotiation and then we store a cookie so as long as the whole conversation goes to the same server you should be fine. I do not think you need to re-encrypt the traffic at load balancer and thus have a cert there then if you can enforce the use of the same server in this case. The issue I anticipate is with Kerberos. I think you should not load balance the Kerberos traffic, only the API commands starting with the negotiation. Rob does that make sense for you? Thanks! Cheers, Matt 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 10:24 AM, Matt . wrote: Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? Each entity in Kerberos exchange has its own identity and key. If you send a ticket that is destined to service A instead to service B it would not work unless they share the same keys and identity. Sharinf same keys and identities between the servers just would not work with IPA. Keep in mind that IPA clients and server need to work and fail over if you do not have any load balancers and this is the common case. You are trying to add one where it is really not needed creating overhead for yourself. In that case... I need to add the altnames to the certs, but I'm not 100% there in step 6 Thanks again! Cheers, Matthijs 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:39, Matt . wrote: I have 2 IPA servers where I kinit to and post to the api using curl/json. If we are talking purely about scripting, you can use IPA Python API. It will handle fail over for you even without any load balancer. That would be easiest way. As I need redundancy and don't want to have it script managed, but one central point where I can tal to I use a loadbalancer. Well, if you can control clients then the easiest and most universal way is to use DNS SRV records and add failover logic to clients. That solution works even when servers are geographically distributed/in different networks and does not have single point of failure (the load balancer). As I connect to the loadbalancer using DNAT, so the client IP is known on the IPA server because this is needed for the http service principals I need to add the loadbalancer hostname to my IPA server and make it as an ALT name to it's Certificate. As the users are the same on both servers I would asume i can use a keytab for a user against both servers from my clients. I'm talking about keytabs on the FreeIPA servers - services running on IPA server have their own keytabs too. Every service on every server has own keytab with different key. You need to talk with Simo or some other Kerberos guru about possibility of sharing keytabs between IPA services. Does this make it more clear ? I'm still not sure if you want to have human users too or just API clients. Petr^2 Spacek 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:13, Matt . wrote: Hi, But as the user is the same, I could use the same keytab for each ipa server ? I need to use the API indeed, so need to issue the http service. Any other options ? I do not really understand your use case. Could you describe it in detail, please? Petr^2 Spacek 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 14:08, Martin Kosek wrote: I'm figuring out how to regenerate the webserver certificates so I can use a loadbalancer in front of my ipa servers. Are you talking about FreeIPA web interface? It is technically possible to use load-balancer but it will be really hacky. You would have to solve certificates and also distribute shared keytabs and so on. I would recommend you to use something
Re: [Freeipa-users] subjectAlternitiveName for webservice
Hi, But as the user is the same, I could use the same keytab for each ipa server ? I need to use the API indeed, so need to issue the http service. Any other options ? 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 14:08, Martin Kosek wrote: I'm figuring out how to regenerate the webserver certificates so I can use a loadbalancer in front of my ipa servers. Are you talking about FreeIPA web interface? It is technically possible to use load-balancer but it will be really hacky. You would have to solve certificates and also distribute shared keytabs and so on. I would recommend you to use something which issues HTTP redirect to ipa server 1/2/3/4/5 according to current state instead of using classical load balancer on the network level. Normal HTTP redirect will not force you to mess with certs and keytabs. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
On 6.3.2015 15:13, Matt . wrote: Hi, But as the user is the same, I could use the same keytab for each ipa server ? I need to use the API indeed, so need to issue the http service. Any other options ? I do not really understand your use case. Could you describe it in detail, please? Petr^2 Spacek 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 14:08, Martin Kosek wrote: I'm figuring out how to regenerate the webserver certificates so I can use a loadbalancer in front of my ipa servers. Are you talking about FreeIPA web interface? It is technically possible to use load-balancer but it will be really hacky. You would have to solve certificates and also distribute shared keytabs and so on. I would recommend you to use something which issues HTTP redirect to ipa server 1/2/3/4/5 according to current state instead of using classical load balancer on the network level. Normal HTTP redirect will not force you to mess with certs and keytabs. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
I have 2 IPA servers where I kinit to and post to the api using curl/json. As I need redundancy and don't want to have it script managed, but one central point where I can tal to I use a loadbalancer. As I connect to the loadbalancer using DNAT, so the client IP is known on the IPA server because this is needed for the http service principals I need to add the loadbalancer hostname to my IPA server and make it as an ALT name to it's Certificate. As the users are the same on both servers I would asume i can use a keytab for a user against both servers from my clients. Does this make it more clear ? 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:13, Matt . wrote: Hi, But as the user is the same, I could use the same keytab for each ipa server ? I need to use the API indeed, so need to issue the http service. Any other options ? I do not really understand your use case. Could you describe it in detail, please? Petr^2 Spacek 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 14:08, Martin Kosek wrote: I'm figuring out how to regenerate the webserver certificates so I can use a loadbalancer in front of my ipa servers. Are you talking about FreeIPA web interface? It is technically possible to use load-balancer but it will be really hacky. You would have to solve certificates and also distribute shared keytabs and so on. I would recommend you to use something which issues HTTP redirect to ipa server 1/2/3/4/5 according to current state instead of using classical load balancer on the network level. Normal HTTP redirect will not force you to mess with certs and keytabs. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
On 6.3.2015 16:24, Matt . wrote: Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? Keytabs are used by Kerberos and MIT kerberos libraries fully support SRV records and failover. In that case... I need to add the altnames to the certs, but I'm not 100% there in step 6 I hope someone else can advise you how to do that but be prepared for hickups, this setup is not tested. Petr^2 Spacek Thanks again! Cheers, Matthijs 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:39, Matt . wrote: I have 2 IPA servers where I kinit to and post to the api using curl/json. If we are talking purely about scripting, you can use IPA Python API. It will handle fail over for you even without any load balancer. That would be easiest way. As I need redundancy and don't want to have it script managed, but one central point where I can tal to I use a loadbalancer. Well, if you can control clients then the easiest and most universal way is to use DNS SRV records and add failover logic to clients. That solution works even when servers are geographically distributed/in different networks and does not have single point of failure (the load balancer). As I connect to the loadbalancer using DNAT, so the client IP is known on the IPA server because this is needed for the http service principals I need to add the loadbalancer hostname to my IPA server and make it as an ALT name to it's Certificate. As the users are the same on both servers I would asume i can use a keytab for a user against both servers from my clients. I'm talking about keytabs on the FreeIPA servers - services running on IPA server have their own keytabs too. Every service on every server has own keytab with different key. You need to talk with Simo or some other Kerberos guru about possibility of sharing keytabs between IPA services. Does this make it more clear ? I'm still not sure if you want to have human users too or just API clients. Petr^2 Spacek 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:13, Matt . wrote: Hi, But as the user is the same, I could use the same keytab for each ipa server ? I need to use the API indeed, so need to issue the http service. Any other options ? I do not really understand your use case. Could you describe it in detail, please? Petr^2 Spacek 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 14:08, Martin Kosek wrote: I'm figuring out how to regenerate the webserver certificates so I can use a loadbalancer in front of my ipa servers. Are you talking about FreeIPA web interface? It is technically possible to use load-balancer but it will be really hacky. You would have to solve certificates and also distribute shared keytabs and so on. I would recommend you to use something which issues HTTP redirect to ipa server 1/2/3/4/5 according to current state instead of using classical load balancer on the network level. Normal HTTP redirect will not force you to mess with certs and keytabs. -- Petr^2 Spacek -- Petr Spacek @ Red Hat -- Petr Spacek @ Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
On 6.3.2015 15:39, Matt . wrote: I have 2 IPA servers where I kinit to and post to the api using curl/json. If we are talking purely about scripting, you can use IPA Python API. It will handle fail over for you even without any load balancer. That would be easiest way. As I need redundancy and don't want to have it script managed, but one central point where I can tal to I use a loadbalancer. Well, if you can control clients then the easiest and most universal way is to use DNS SRV records and add failover logic to clients. That solution works even when servers are geographically distributed/in different networks and does not have single point of failure (the load balancer). As I connect to the loadbalancer using DNAT, so the client IP is known on the IPA server because this is needed for the http service principals I need to add the loadbalancer hostname to my IPA server and make it as an ALT name to it's Certificate. As the users are the same on both servers I would asume i can use a keytab for a user against both servers from my clients. I'm talking about keytabs on the FreeIPA servers - services running on IPA server have their own keytabs too. Every service on every server has own keytab with different key. You need to talk with Simo or some other Kerberos guru about possibility of sharing keytabs between IPA services. Does this make it more clear ? I'm still not sure if you want to have human users too or just API clients. Petr^2 Spacek 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:13, Matt . wrote: Hi, But as the user is the same, I could use the same keytab for each ipa server ? I need to use the API indeed, so need to issue the http service. Any other options ? I do not really understand your use case. Could you describe it in detail, please? Petr^2 Spacek 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 14:08, Martin Kosek wrote: I'm figuring out how to regenerate the webserver certificates so I can use a loadbalancer in front of my ipa servers. Are you talking about FreeIPA web interface? It is technically possible to use load-balancer but it will be really hacky. You would have to solve certificates and also distribute shared keytabs and so on. I would recommend you to use something which issues HTTP redirect to ipa server 1/2/3/4/5 according to current state instead of using classical load balancer on the network level. Normal HTTP redirect will not force you to mess with certs and keytabs. -- Petr^2 Spacek -- Petr Spacek @ Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? In that case... I need to add the altnames to the certs, but I'm not 100% there in step 6 Thanks again! Cheers, Matthijs 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:39, Matt . wrote: I have 2 IPA servers where I kinit to and post to the api using curl/json. If we are talking purely about scripting, you can use IPA Python API. It will handle fail over for you even without any load balancer. That would be easiest way. As I need redundancy and don't want to have it script managed, but one central point where I can tal to I use a loadbalancer. Well, if you can control clients then the easiest and most universal way is to use DNS SRV records and add failover logic to clients. That solution works even when servers are geographically distributed/in different networks and does not have single point of failure (the load balancer). As I connect to the loadbalancer using DNAT, so the client IP is known on the IPA server because this is needed for the http service principals I need to add the loadbalancer hostname to my IPA server and make it as an ALT name to it's Certificate. As the users are the same on both servers I would asume i can use a keytab for a user against both servers from my clients. I'm talking about keytabs on the FreeIPA servers - services running on IPA server have their own keytabs too. Every service on every server has own keytab with different key. You need to talk with Simo or some other Kerberos guru about possibility of sharing keytabs between IPA services. Does this make it more clear ? I'm still not sure if you want to have human users too or just API clients. Petr^2 Spacek 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:13, Matt . wrote: Hi, But as the user is the same, I could use the same keytab for each ipa server ? I need to use the API indeed, so need to issue the http service. Any other options ? I do not really understand your use case. Could you describe it in detail, please? Petr^2 Spacek 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 14:08, Martin Kosek wrote: I'm figuring out how to regenerate the webserver certificates so I can use a loadbalancer in front of my ipa servers. Are you talking about FreeIPA web interface? It is technically possible to use load-balancer but it will be really hacky. You would have to solve certificates and also distribute shared keytabs and so on. I would recommend you to use something which issues HTTP redirect to ipa server 1/2/3/4/5 according to current state instead of using classical load balancer on the network level. Normal HTTP redirect will not force you to mess with certs and keytabs. -- Petr^2 Spacek -- Petr Spacek @ Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
On 6.3.2015 14:08, Martin Kosek wrote: I'm figuring out how to regenerate the webserver certificates so I can use a loadbalancer in front of my ipa servers. Are you talking about FreeIPA web interface? It is technically possible to use load-balancer but it will be really hacky. You would have to solve certificates and also distribute shared keytabs and so on. I would recommend you to use something which issues HTTP redirect to ipa server 1/2/3/4/5 according to current state instead of using classical load balancer on the network level. Normal HTTP redirect will not force you to mess with certs and keytabs. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] subjectAlternitiveName for webservice
Hi, I'm figuring out how to regenerate the webserver certificates so I can use a loadbalancer in front of my ipa servers. I see in the docs there is information about this, but not for the webservice. Does anyone have some directions ? Thanks. Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
On 03/06/2015 01:30 PM, Matt . wrote: Hi, I'm figuring out how to regenerate the webserver certificates so I can use a loadbalancer in front of my ipa servers. I see in the docs there is information about this, but not for the webservice. Does anyone have some directions ? Thanks. Matt Certificate SubjectAltName was fixed in FreeIPA 4.0, this is the upstream ticket: https://fedorahosted.org/freeipa/ticket/3977 The procedure is described in upstream wiki for example: http://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
Hi Martin, Thanks, I saw that ticket but didn't got to the wiki part yet. What I wonder in Step 6: 6. Request a signed certificate for the service and see the entry in Certmonger. In case you created a NSS database with a PIN (see the step 3.), use -P $PIN or -p /etc/httpd/nssdb/pwdfile.txt option to tell certmonger about it: # ipa-getcert request -d /etc/httpd/nssdb -n Server-Cert -K HTTP/`hostname` -N CN=`hostname`,O=EXAMPLE.COM -g 2048 -p /etc/httpd/nssdb/pwdfile.txt SAN names: in FreeIPA 4.0 and later, you can add optional SAN DNS names to your request with -D. Note that you need to first create respective host or service objects and configure that given host can manage them with service-add-host or host-add-managedby command. These objects are being verified when FreeIPA cert-req command authorizes the SAN names. Can I just add the alt names in that command, how should I proceed ? I added the host like ldap.domain... where my ldap servers are ldap-01 and ldap-02 Thanks! Matt 2015-03-06 14:08 GMT+01:00 Martin Kosek mko...@redhat.com: On 03/06/2015 01:30 PM, Matt . wrote: Hi, I'm figuring out how to regenerate the webserver certificates so I can use a loadbalancer in front of my ipa servers. I see in the docs there is information about this, but not for the webservice. Does anyone have some directions ? Thanks. Matt Certificate SubjectAltName was fixed in FreeIPA 4.0, this is the upstream ticket: https://fedorahosted.org/freeipa/ticket/3977 The procedure is described in upstream wiki for example: http://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
On Fri, 2015-03-06 at 16:24 +0100, Matt . wrote: Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? What kind of load balancing ? An IPA server offers multiple different kerberized services, not all of them may be able to work using multiple keys (you would need one key for the real name and one for the load balanced name). Simo. In that case... I need to add the altnames to the certs, but I'm not 100% there in step 6 Thanks again! Cheers, Matthijs 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:39, Matt . wrote: I have 2 IPA servers where I kinit to and post to the api using curl/json. If we are talking purely about scripting, you can use IPA Python API. It will handle fail over for you even without any load balancer. That would be easiest way. As I need redundancy and don't want to have it script managed, but one central point where I can tal to I use a loadbalancer. Well, if you can control clients then the easiest and most universal way is to use DNS SRV records and add failover logic to clients. That solution works even when servers are geographically distributed/in different networks and does not have single point of failure (the load balancer). As I connect to the loadbalancer using DNAT, so the client IP is known on the IPA server because this is needed for the http service principals I need to add the loadbalancer hostname to my IPA server and make it as an ALT name to it's Certificate. As the users are the same on both servers I would asume i can use a keytab for a user against both servers from my clients. I'm talking about keytabs on the FreeIPA servers - services running on IPA server have their own keytabs too. Every service on every server has own keytab with different key. You need to talk with Simo or some other Kerberos guru about possibility of sharing keytabs between IPA services. Does this make it more clear ? I'm still not sure if you want to have human users too or just API clients. Petr^2 Spacek 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:13, Matt . wrote: Hi, But as the user is the same, I could use the same keytab for each ipa server ? I need to use the API indeed, so need to issue the http service. Any other options ? I do not really understand your use case. Could you describe it in detail, please? Petr^2 Spacek 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 14:08, Martin Kosek wrote: I'm figuring out how to regenerate the webserver certificates so I can use a loadbalancer in front of my ipa servers. Are you talking about FreeIPA web interface? It is technically possible to use load-balancer but it will be really hacky. You would have to solve certificates and also distribute shared keytabs and so on. I would recommend you to use something which issues HTTP redirect to ipa server 1/2/3/4/5 according to current state instead of using classical load balancer on the network level. Normal HTTP redirect will not force you to mess with certs and keytabs. -- Petr^2 Spacek -- Petr Spacek @ Red Hat -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
OK, understood. But when a webservice does execute a command (from scripting) to a SVR record and the first is not reacable, would it try to do it again or will handle DNS this in front of it ? I do a kinit against an IPA server using a keytab after I first checked if the user was able to auth himself using his ldap credentials, if so, this kinit exec is fired and I do some CURL stuff to the IPA server. That's why I wanted a loadbalancer, the loadbalancer sees if a server is down and doesn't even try to direct any of the commands to it... I'm not sure if the SRV will handle this well when doing these command from PHP for an example. Building in extra checks in front could be done but it not ideal as a loadbalancer can handle such things much better. Thanks! Cheers, Matt 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 10:24 AM, Matt . wrote: Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? Each entity in Kerberos exchange has its own identity and key. If you send a ticket that is destined to service A instead to service B it would not work unless they share the same keys and identity. Sharinf same keys and identities between the servers just would not work with IPA. Keep in mind that IPA clients and server need to work and fail over if you do not have any load balancers and this is the common case. You are trying to add one where it is really not needed creating overhead for yourself. In that case... I need to add the altnames to the certs, but I'm not 100% there in step 6 Thanks again! Cheers, Matthijs 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:39, Matt . wrote: I have 2 IPA servers where I kinit to and post to the api using curl/json. If we are talking purely about scripting, you can use IPA Python API. It will handle fail over for you even without any load balancer. That would be easiest way. As I need redundancy and don't want to have it script managed, but one central point where I can tal to I use a loadbalancer. Well, if you can control clients then the easiest and most universal way is to use DNS SRV records and add failover logic to clients. That solution works even when servers are geographically distributed/in different networks and does not have single point of failure (the load balancer). As I connect to the loadbalancer using DNAT, so the client IP is known on the IPA server because this is needed for the http service principals I need to add the loadbalancer hostname to my IPA server and make it as an ALT name to it's Certificate. As the users are the same on both servers I would asume i can use a keytab for a user against both servers from my clients. I'm talking about keytabs on the FreeIPA servers - services running on IPA server have their own keytabs too. Every service on every server has own keytab with different key. You need to talk with Simo or some other Kerberos guru about possibility of sharing keytabs between IPA services. Does this make it more clear ? I'm still not sure if you want to have human users too or just API clients. Petr^2 Spacek 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:13, Matt . wrote: Hi, But as the user is the same, I could use the same keytab for each ipa server ? I need to use the API indeed, so need to issue the http service. Any other options ? I do not really understand your use case. Could you describe it in detail, please? Petr^2 Spacek 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 14:08, Martin Kosek wrote: I'm figuring out how to regenerate the webserver certificates so I can use a loadbalancer in front of my ipa servers. Are you talking about FreeIPA web interface? It is technically possible to use load-balancer but it will be really hacky. You would have to solve certificates and also distribute shared keytabs and so on. I would recommend you to use something which issues HTTP redirect to ipa server 1/2/3/4/5 according to current state instead of using classical load balancer on the network level. Normal HTTP redirect will not force you to mess with certs and keytabs. -- Petr^2 Spacek -- Petr Spacek @ Red Hat -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subjectAlternitiveName for webservice
On 03/06/2015 11:05 AM, Matt . wrote: OK, understood. But when a webservice does execute a command (from scripting) to a SVR record and the first is not reacable, would it try to do it again or will handle DNS this in front of it ? I do a kinit against an IPA server using a keytab after I first checked if the user was able to auth himself using his ldap credentials, if so, this kinit exec is fired and I do some CURL stuff to the IPA server. That's why I wanted a loadbalancer, the loadbalancer sees if a server is down and doesn't even try to direct any of the commands to it... I'm not sure if the SRV will handle this well when doing these command from PHP for an example. Building in extra checks in front could be done but it not ideal as a loadbalancer can handle such things much better. OK, this makes things much more clear. Thanks for the explanation. Rob. What is our failover logic for API? For CLI we use a negotiation and then we store a cookie so as long as the whole conversation goes to the same server you should be fine. I do not think you need to re-encrypt the traffic at load balancer and thus have a cert there then if you can enforce the use of the same server in this case. The issue I anticipate is with Kerberos. I think you should not load balance the Kerberos traffic, only the API commands starting with the negotiation. Rob does that make sense for you? Thanks! Cheers, Matt 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 10:24 AM, Matt . wrote: Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say. I auth users, so their keytab should be the same between two masters I believe ? Each entity in Kerberos exchange has its own identity and key. If you send a ticket that is destined to service A instead to service B it would not work unless they share the same keys and identity. Sharinf same keys and identities between the servers just would not work with IPA. Keep in mind that IPA clients and server need to work and fail over if you do not have any load balancers and this is the common case. You are trying to add one where it is really not needed creating overhead for yourself. In that case... I need to add the altnames to the certs, but I'm not 100% there in step 6 Thanks again! Cheers, Matthijs 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:39, Matt . wrote: I have 2 IPA servers where I kinit to and post to the api using curl/json. If we are talking purely about scripting, you can use IPA Python API. It will handle fail over for you even without any load balancer. That would be easiest way. As I need redundancy and don't want to have it script managed, but one central point where I can tal to I use a loadbalancer. Well, if you can control clients then the easiest and most universal way is to use DNS SRV records and add failover logic to clients. That solution works even when servers are geographically distributed/in different networks and does not have single point of failure (the load balancer). As I connect to the loadbalancer using DNAT, so the client IP is known on the IPA server because this is needed for the http service principals I need to add the loadbalancer hostname to my IPA server and make it as an ALT name to it's Certificate. As the users are the same on both servers I would asume i can use a keytab for a user against both servers from my clients. I'm talking about keytabs on the FreeIPA servers - services running on IPA server have their own keytabs too. Every service on every server has own keytab with different key. You need to talk with Simo or some other Kerberos guru about possibility of sharing keytabs between IPA services. Does this make it more clear ? I'm still not sure if you want to have human users too or just API clients. Petr^2 Spacek 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:13, Matt . wrote: Hi, But as the user is the same, I could use the same keytab for each ipa server ? I need to use the API indeed, so need to issue the http service. Any other options ? I do not really understand your use case. Could you describe it in detail, please? Petr^2 Spacek 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 14:08, Martin Kosek wrote: I'm figuring out how to regenerate the webserver certificates so I can use a loadbalancer in front of my ipa servers. Are you talking about FreeIPA web interface? It is technically possible to use load-balancer but it will be really hacky. You would have to solve certificates and also distribute shared keytabs and so on. I would recommend you to use something which issues HTTP redirect to ipa server 1/2/3/4/5 according to current state instead of using classical load balancer on the network level. Normal HTTP redirect will not force you to mess with certs and keytabs. -- Petr^2 Spacek -- Petr Spacek @ Red Hat --