Re: [Freeipa-users] freeipa behind a load balancer
OK, to keep this updated. With some Kerberos Guru's we have looked how IPA behaves when you change all DNS names, PTR's and A's to the LB-er and all time you get a ticket from the server service principal itself. With kvno you can get a ticket for the loadbalancer but when you run your "failing script" you also see a ticket coming back from the ipa server itself. I have seen some mailings from last year too with no solution... it seems to be a showstopper on that part :( 2015-04-01 20:41 GMT+02:00 Matt . : > Hi, > > I'm not gicing up on this, so I'm testing. > > I'm unsure at the moment about the keytab. The keytab is normally for > the user that needs to be able to do "stuff", but in this case we need > one for the loadbalancer name or the client maybe combined ? > > I lost that overvieuw... would be nice to get some advice here. > > Thanks! > > Matt > > 2015-03-31 21:23 GMT+02:00 Matt . : >> OK, but we need to do this using IPA or (as IPA does some things >> different it seems). >> >> Anyone testing this perhaps ? (/me is multitasking atm) >> >> 2015-03-31 20:22 GMT+02:00 Rob Crittenden : >>> Brendan Kearney wrote: On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote: > On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote: >> But IPA is more complex and some operations will be performed directly >> against the specific server name, so you need to keep 2 sets of keys >> (one for the server name and one for the load balancer name), but that >> does not work right now. > > One experiment that can be done is to remove all "per-server" HTTP > services for the IPA server, and instead add their name as aliases on > the common load-balancer name. > > This would mean that all IPA servers would have just one key in their > HTTP keytab, but the KDC would release tickets readable by that key for > any name the clients may ask for. > > It is a bit tricky, every time you build a replica you want to > load-balance you'll have to go back and remove the service and switch > keytabs, but it may be an option. Of course if you brick IPA then you > get to keep the pieces :-) > > Simo. > careful there, as kerberos balks at CNAME records. i think you need to use A records. i ran into a couple odd issues and decided to only use A/PTR records for my stuff and never went "exploring" for options/alternatives. >>> >>> Not DNS aliases, Kerberos principal alises. >>> >>> rob >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
Hi, I'm not gicing up on this, so I'm testing. I'm unsure at the moment about the keytab. The keytab is normally for the user that needs to be able to do "stuff", but in this case we need one for the loadbalancer name or the client maybe combined ? I lost that overvieuw... would be nice to get some advice here. Thanks! Matt 2015-03-31 21:23 GMT+02:00 Matt . : > OK, but we need to do this using IPA or (as IPA does some things > different it seems). > > Anyone testing this perhaps ? (/me is multitasking atm) > > 2015-03-31 20:22 GMT+02:00 Rob Crittenden : >> Brendan Kearney wrote: >>> On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote: On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote: > But IPA is more complex and some operations will be performed directly > against the specific server name, so you need to keep 2 sets of keys > (one for the server name and one for the load balancer name), but that > does not work right now. One experiment that can be done is to remove all "per-server" HTTP services for the IPA server, and instead add their name as aliases on the common load-balancer name. This would mean that all IPA servers would have just one key in their HTTP keytab, but the KDC would release tickets readable by that key for any name the clients may ask for. It is a bit tricky, every time you build a replica you want to load-balance you'll have to go back and remove the service and switch keytabs, but it may be an option. Of course if you brick IPA then you get to keep the pieces :-) Simo. >>> >>> careful there, as kerberos balks at CNAME records. i think you need to >>> use A records. i ran into a couple odd issues and decided to only use >>> A/PTR records for my stuff and never went "exploring" for >>> options/alternatives. >>> >> >> Not DNS aliases, Kerberos principal alises. >> >> rob >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
OK, but we need to do this using IPA or (as IPA does some things different it seems). Anyone testing this perhaps ? (/me is multitasking atm) 2015-03-31 20:22 GMT+02:00 Rob Crittenden : > Brendan Kearney wrote: >> On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote: >>> On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote: But IPA is more complex and some operations will be performed directly against the specific server name, so you need to keep 2 sets of keys (one for the server name and one for the load balancer name), but that does not work right now. >>> >>> One experiment that can be done is to remove all "per-server" HTTP >>> services for the IPA server, and instead add their name as aliases on >>> the common load-balancer name. >>> >>> This would mean that all IPA servers would have just one key in their >>> HTTP keytab, but the KDC would release tickets readable by that key for >>> any name the clients may ask for. >>> >>> It is a bit tricky, every time you build a replica you want to >>> load-balance you'll have to go back and remove the service and switch >>> keytabs, but it may be an option. Of course if you brick IPA then you >>> get to keep the pieces :-) >>> >>> Simo. >>> >> >> careful there, as kerberos balks at CNAME records. i think you need to >> use A records. i ran into a couple odd issues and decided to only use >> A/PTR records for my stuff and never went "exploring" for >> options/alternatives. >> > > Not DNS aliases, Kerberos principal alises. > > rob > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
Brendan Kearney wrote: > On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote: >> On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote: >>> But IPA is more complex and some operations will be performed directly >>> against the specific server name, so you need to keep 2 sets of keys >>> (one for the server name and one for the load balancer name), but that >>> does not work right now. >> >> One experiment that can be done is to remove all "per-server" HTTP >> services for the IPA server, and instead add their name as aliases on >> the common load-balancer name. >> >> This would mean that all IPA servers would have just one key in their >> HTTP keytab, but the KDC would release tickets readable by that key for >> any name the clients may ask for. >> >> It is a bit tricky, every time you build a replica you want to >> load-balance you'll have to go back and remove the service and switch >> keytabs, but it may be an option. Of course if you brick IPA then you >> get to keep the pieces :-) >> >> Simo. >> > > careful there, as kerberos balks at CNAME records. i think you need to > use A records. i ran into a couple odd issues and decided to only use > A/PTR records for my stuff and never went "exploring" for > options/alternatives. > Not DNS aliases, Kerberos principal alises. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
Simo, Yes that was where I was thinking of also, so you say faking by DNS ? @Brendan, cnames are not that nice in networks indeed. 2015-03-31 20:10 GMT+02:00 Brendan Kearney : > On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote: >> On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote: >> > But IPA is more complex and some operations will be performed directly >> > against the specific server name, so you need to keep 2 sets of keys >> > (one for the server name and one for the load balancer name), but that >> > does not work right now. >> >> One experiment that can be done is to remove all "per-server" HTTP >> services for the IPA server, and instead add their name as aliases on >> the common load-balancer name. >> >> This would mean that all IPA servers would have just one key in their >> HTTP keytab, but the KDC would release tickets readable by that key for >> any name the clients may ask for. >> >> It is a bit tricky, every time you build a replica you want to >> load-balance you'll have to go back and remove the service and switch >> keytabs, but it may be an option. Of course if you brick IPA then you >> get to keep the pieces :-) >> >> Simo. >> > > careful there, as kerberos balks at CNAME records. i think you need to > use A records. i ran into a couple odd issues and decided to only use > A/PTR records for my stuff and never went "exploring" for > options/alternatives. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote: > On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote: > > But IPA is more complex and some operations will be performed directly > > against the specific server name, so you need to keep 2 sets of keys > > (one for the server name and one for the load balancer name), but that > > does not work right now. > > One experiment that can be done is to remove all "per-server" HTTP > services for the IPA server, and instead add their name as aliases on > the common load-balancer name. > > This would mean that all IPA servers would have just one key in their > HTTP keytab, but the KDC would release tickets readable by that key for > any name the clients may ask for. > > It is a bit tricky, every time you build a replica you want to > load-balance you'll have to go back and remove the service and switch > keytabs, but it may be an option. Of course if you brick IPA then you > get to keep the pieces :-) > > Simo. > careful there, as kerberos balks at CNAME records. i think you need to use A records. i ran into a couple odd issues and decided to only use A/PTR records for my stuff and never went "exploring" for options/alternatives. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote: > But IPA is more complex and some operations will be performed directly > against the specific server name, so you need to keep 2 sets of keys > (one for the server name and one for the load balancer name), but that > does not work right now. One experiment that can be done is to remove all "per-server" HTTP services for the IPA server, and instead add their name as aliases on the common load-balancer name. This would mean that all IPA servers would have just one key in their HTTP keytab, but the KDC would release tickets readable by that key for any name the clients may ask for. It is a bit tricky, every time you build a replica you want to load-balance you'll have to go back and remove the service and switch keytabs, but it may be an option. Of course if you brick IPA then you get to keep the pieces :-) Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
On Tue, 2015-03-31 at 13:21 -0400, Brendan Kearney wrote:
> On Tue, 2015-03-31 at 12:53 -0400, Simo Sorce wrote:
> > On Tue, 2015-03-31 at 11:41 -0400, Brendan Kearney wrote:
> > > On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote:
> > > > On 03/31/2015 10:38 AM, Matt . wrote:
> > > > > True, but we have some extra later between which does the cli command
> > > > > not usable (at least for the moment)
> > > > >
> > > > > I already know how to share the key's among all servers, that works
> > > > > fine, IPA/Apache/Kerberos only doesn't like the other hostname
> > > > > (loadbalancer), or the client doesn't understand it.
> > > > >
> > > > > So fixing this saves me really much more time than doing the another
> > > > > way.
> > > >
> > > > Kerberos is not load balancer friendly. It is something that is a known
> > > > property of Kerberos.
> > > > I remember MIT mentioning something that they did or might do to help
> > > > with that so it might make sense to ask this question on the MIT
> > > > Kerberos user list.
> > > >
> > > > >
> > > > > Thanks!
> > > > >
> > > > > Matt
> > > > >
> > > > > 2015-03-31 16:24 GMT+02:00 Petr Spacek :
> > > > >> On 31.3.2015 16:10, Matt . wrote:
> > > > >>> HI Petr,
> > > > >>>
> > > > >>> We had a several of reasons why we did that. We wanted to use one
> > > > >>> language for that, and also have formatted returns. There was also
> > > > >>> some security issue which came up.
> > > > >> I would be very interested in the security reason. If you see any
> > > > >> problem with
> > > > >> 'ipa' command or FreeIPA API please send me a private e-mail or
> > > > >> contact
> > > > >> secal...@redhat.com directly.
> > > > >>
> > > > >>> I could ask you, why does IPA json itself ? if you see what it posts
> > > > >>> and what it gets back as result it makes it much more clear in
> > > > >>> development.
> > > > >> I do not understand the question, sorry.
> > > > >>
> > > > >> If you want to see what 'ipa' command does run it with '-vv'
> > > > >> parameter:
> > > > >> $ ipa -vv user-find
> > > > >>
> > > > >> It will print JSON request and reply:
> > > > >> ipa: INFO: Request: {
> > > > >> "id": 0,
> > > > >> "method": "user_find",
> > > > >> "params": [
> > > > >> [
> > > > >> null
> > > > >> ],
> > > > >> {
> > > > >> "all": false,
> > > > >> "no_members": false,
> > > > >> "pkey_only": false,
> > > > >> "raw": false,
> > > > >> "version": "2.115",
> > > > >> "whoami": false
> > > > >> }
> > > > >> ]
> > > > >> }
> > > > >> ipa: INFO: Response: {
> > > > >> "error": null,
> > > > >> "id": 0,
> > > > >> "principal": "admin@IPA.EXAMPLE",
> > > > >> "result": {
> > > > >> "count": 2,
> > > > >> "result": [
> > > > >> {
> > > > >> "dn":
> > > > >> "uid=admin,cn=users,cn=accounts,dc=ipa,dc=example",
> > > > >> "gidnumber": [
> > > > >> "138100"
> > > > >> ],
> > > > >> ...
> > > > >>
> > > > >>
> > > > >>> HTTP loadbalancing is not difficult at all, as we post to the
> > > > >>> webserver I need to have that part only auth right. We do more very
> > > > >>> specific loadbalancing stuff and this is the most easy one as it's
> > > > >>> only webserver forward, but IPA/Kerberos has an issue with the
> > > > >>> principal it seems... it cannot be hard to make that accepted I
> > > > >>> would
> > > > >>> say.
> > > > >> If you insist on Kerberos servers behind a load balancer... you will
> > > > >> need to
> > > > >> somehow share the Kerberos key among all servers. I will defer that
> > > > >> to
> > > > >> Kerberos experts here.
> > > > >>
> > > > >>> I'm still looking for solutions :)
> > > > >> Sure, but you will save a lot of time and nerves if you simply call
> > > > >> 'ipa'
> > > > >> command :-)
> > > > >>
> > > > >> Have a nice day!
> > > > >>
> > > > >> Petr^2 Spacek
> > > > >>
> > > > >>> Cheers,
> > > > >>>
> > > > >>> Matt
> > > > >>>
> > > > >>> 2015-03-31 15:58 GMT+02:00 Petr Spacek :
> > > > On 31.3.2015 15:23, Matt . wrote:
> > > > > Hi Petr,
> > > > >
> > > > > We discussed that before indeed, but SRV is not usable in this
> > > > > case.
> > > > >
> > > > > My clients are just webservers (apache) doing some executes of
> > > > > CURL
> > > > > commands to ipa/json, actually the same commands as the webgui
> > > > > does
> > > > > using json, but we curl it.
> > > > >
> > > > > Do you have a better view now ?
> > > > Yes. If you have seen the previous discussion then you know that
> > > > it will be
> > > > pretty difficult to do this kind of load balancing.
> > > >
> > > > Why are you not using 'ipa' command or Python API we have instead?
> > > > Why to use
> > > > CURL and make things more
Re: [Freeipa-users] freeipa behind a load balancer
On Tue, 2015-03-31 at 19:36 +0200, Matt . wrote: > OK, but as I say, without the loadbalancer, same domain it works. > All the more reason to capture the session and review it in wireshark. > My IPA server also sees the client name and ptr as I do nat. > > So you create a keytab for your host you are doing the commands from ? all of my hosts get a host principal and have it put in /etc/krb5.keytab. i run kadmin to generate them. freeipa likely has utilities for this, but am not sure what they are. > I was using a user keytab and run my commands as that user, that works > to ipa-01 > > It's getting something more clear. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
OK, but as I say, without the loadbalancer, same domain it works.
My IPA server also sees the client name and ptr as I do nat.
So you create a keytab for your host you are doing the commands from ?
I was using a user keytab and run my commands as that user, that works
to ipa-01
It's getting something more clear.
2015-03-31 19:29 GMT+02:00 Brendan Kearney :
> On Tue, 2015-03-31 at 18:18 +0200, Matt . wrote:
>> OK, that makes it even more clear.
>>
>> an ldapwhoami might be an issue. As this client is known on a
>> different ldap server and I kinit to another ldap server. There is a
>> reason for this as we have out office network and our deployment
>> network. Users that manage are in the office ldap, user that are in
>> deployment are in the deployment ldap. I do my kinit
>> username@deployment.domain which works ok when I run my commands at
>> ipa-01.deployment.domain.
>>
>> But when I want to do a ldapwhoami it tries to connect to the office
>> ldap server which is not working of course. (I get a connection error
>> atm, need to investigate as that server is running fine).
>>
>> Get the idea ?
>>
>> Thanks again!
>>
>> Matt
>>
>> 2015-03-31 17:58 GMT+02:00 Brendan Kearney :
>> > On Tue, 2015-03-31 at 17:51 +0200, Matt . wrote:
>> >> Hi Brendan,
>> >>
>> >> Yes thanks for your great explanation, I have done that indeed. But in
>> >> some strange way, with only a 401 in access_log of apache I get a Non
>> >> valid ticket when I connect through my loadbalancer. I don't go "by"
>> >> my loadbalancer but through it (NAT) or should it go "by/next" to it ?
>> >>
>> >> I think we can get this fixed :)
>> >>
>> >> Thanks!
>> >>
>> >> Matt
>> >>
>> >> 2015-03-31 17:41 GMT+02:00 Brendan Kearney :
>> >> > On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote:
>> >> >> On 03/31/2015 10:38 AM, Matt . wrote:
>> >> >> > True, but we have some extra later between which does the cli command
>> >> >> > not usable (at least for the moment)
>> >> >> >
>> >> >> > I already know how to share the key's among all servers, that works
>> >> >> > fine, IPA/Apache/Kerberos only doesn't like the other hostname
>> >> >> > (loadbalancer), or the client doesn't understand it.
>> >> >> >
>> >> >> > So fixing this saves me really much more time than doing the another
>> >> >> > way.
>> >> >>
>> >> >> Kerberos is not load balancer friendly. It is something that is a known
>> >> >> property of Kerberos.
>> >> >> I remember MIT mentioning something that they did or might do to help
>> >> >> with that so it might make sense to ask this question on the MIT
>> >> >> Kerberos user list.
>> >> >>
>> >> >> >
>> >> >> > Thanks!
>> >> >> >
>> >> >> > Matt
>> >> >> >
>> >> >> > 2015-03-31 16:24 GMT+02:00 Petr Spacek :
>> >> >> >> On 31.3.2015 16:10, Matt . wrote:
>> >> >> >>> HI Petr,
>> >> >> >>>
>> >> >> >>> We had a several of reasons why we did that. We wanted to use one
>> >> >> >>> language for that, and also have formatted returns. There was also
>> >> >> >>> some security issue which came up.
>> >> >> >> I would be very interested in the security reason. If you see any
>> >> >> >> problem with
>> >> >> >> 'ipa' command or FreeIPA API please send me a private e-mail or
>> >> >> >> contact
>> >> >> >> secal...@redhat.com directly.
>> >> >> >>
>> >> >> >>> I could ask you, why does IPA json itself ? if you see what it
>> >> >> >>> posts
>> >> >> >>> and what it gets back as result it makes it much more clear in
>> >> >> >>> development.
>> >> >> >> I do not understand the question, sorry.
>> >> >> >>
>> >> >> >> If you want to see what 'ipa' command does run it with '-vv'
>> >> >> >> parameter:
>> >> >> >> $ ipa -vv user-find
>> >> >> >>
>> >> >> >> It will print JSON request and reply:
>> >> >> >> ipa: INFO: Request: {
>> >> >> >> "id": 0,
>> >> >> >> "method": "user_find",
>> >> >> >> "params": [
>> >> >> >> [
>> >> >> >> null
>> >> >> >> ],
>> >> >> >> {
>> >> >> >> "all": false,
>> >> >> >> "no_members": false,
>> >> >> >> "pkey_only": false,
>> >> >> >> "raw": false,
>> >> >> >> "version": "2.115",
>> >> >> >> "whoami": false
>> >> >> >> }
>> >> >> >> ]
>> >> >> >> }
>> >> >> >> ipa: INFO: Response: {
>> >> >> >> "error": null,
>> >> >> >> "id": 0,
>> >> >> >> "principal": "admin@IPA.EXAMPLE",
>> >> >> >> "result": {
>> >> >> >> "count": 2,
>> >> >> >> "result": [
>> >> >> >> {
>> >> >> >> "dn":
>> >> >> >> "uid=admin,cn=users,cn=accounts,dc=ipa,dc=example",
>> >> >> >> "gidnumber": [
>> >> >> >> "138100"
>> >> >> >> ],
>> >> >> >> ...
>> >> >> >>
>> >> >> >>
>> >> >> >>> HTTP loadbalancing is not difficult at all, as we post to the
>> >> >> >>> webserver I need to have that part only auth right. We do more very
>> >> >> >>> specific loadbalancing stuff and this
Re: [Freeipa-users] freeipa behind a load balancer
On Tue, 2015-03-31 at 18:18 +0200, Matt . wrote:
> OK, that makes it even more clear.
>
> an ldapwhoami might be an issue. As this client is known on a
> different ldap server and I kinit to another ldap server. There is a
> reason for this as we have out office network and our deployment
> network. Users that manage are in the office ldap, user that are in
> deployment are in the deployment ldap. I do my kinit
> username@deployment.domain which works ok when I run my commands at
> ipa-01.deployment.domain.
>
> But when I want to do a ldapwhoami it tries to connect to the office
> ldap server which is not working of course. (I get a connection error
> atm, need to investigate as that server is running fine).
>
> Get the idea ?
>
> Thanks again!
>
> Matt
>
> 2015-03-31 17:58 GMT+02:00 Brendan Kearney :
> > On Tue, 2015-03-31 at 17:51 +0200, Matt . wrote:
> >> Hi Brendan,
> >>
> >> Yes thanks for your great explanation, I have done that indeed. But in
> >> some strange way, with only a 401 in access_log of apache I get a Non
> >> valid ticket when I connect through my loadbalancer. I don't go "by"
> >> my loadbalancer but through it (NAT) or should it go "by/next" to it ?
> >>
> >> I think we can get this fixed :)
> >>
> >> Thanks!
> >>
> >> Matt
> >>
> >> 2015-03-31 17:41 GMT+02:00 Brendan Kearney :
> >> > On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote:
> >> >> On 03/31/2015 10:38 AM, Matt . wrote:
> >> >> > True, but we have some extra later between which does the cli command
> >> >> > not usable (at least for the moment)
> >> >> >
> >> >> > I already know how to share the key's among all servers, that works
> >> >> > fine, IPA/Apache/Kerberos only doesn't like the other hostname
> >> >> > (loadbalancer), or the client doesn't understand it.
> >> >> >
> >> >> > So fixing this saves me really much more time than doing the another
> >> >> > way.
> >> >>
> >> >> Kerberos is not load balancer friendly. It is something that is a known
> >> >> property of Kerberos.
> >> >> I remember MIT mentioning something that they did or might do to help
> >> >> with that so it might make sense to ask this question on the MIT
> >> >> Kerberos user list.
> >> >>
> >> >> >
> >> >> > Thanks!
> >> >> >
> >> >> > Matt
> >> >> >
> >> >> > 2015-03-31 16:24 GMT+02:00 Petr Spacek :
> >> >> >> On 31.3.2015 16:10, Matt . wrote:
> >> >> >>> HI Petr,
> >> >> >>>
> >> >> >>> We had a several of reasons why we did that. We wanted to use one
> >> >> >>> language for that, and also have formatted returns. There was also
> >> >> >>> some security issue which came up.
> >> >> >> I would be very interested in the security reason. If you see any
> >> >> >> problem with
> >> >> >> 'ipa' command or FreeIPA API please send me a private e-mail or
> >> >> >> contact
> >> >> >> secal...@redhat.com directly.
> >> >> >>
> >> >> >>> I could ask you, why does IPA json itself ? if you see what it posts
> >> >> >>> and what it gets back as result it makes it much more clear in
> >> >> >>> development.
> >> >> >> I do not understand the question, sorry.
> >> >> >>
> >> >> >> If you want to see what 'ipa' command does run it with '-vv'
> >> >> >> parameter:
> >> >> >> $ ipa -vv user-find
> >> >> >>
> >> >> >> It will print JSON request and reply:
> >> >> >> ipa: INFO: Request: {
> >> >> >> "id": 0,
> >> >> >> "method": "user_find",
> >> >> >> "params": [
> >> >> >> [
> >> >> >> null
> >> >> >> ],
> >> >> >> {
> >> >> >> "all": false,
> >> >> >> "no_members": false,
> >> >> >> "pkey_only": false,
> >> >> >> "raw": false,
> >> >> >> "version": "2.115",
> >> >> >> "whoami": false
> >> >> >> }
> >> >> >> ]
> >> >> >> }
> >> >> >> ipa: INFO: Response: {
> >> >> >> "error": null,
> >> >> >> "id": 0,
> >> >> >> "principal": "admin@IPA.EXAMPLE",
> >> >> >> "result": {
> >> >> >> "count": 2,
> >> >> >> "result": [
> >> >> >> {
> >> >> >> "dn":
> >> >> >> "uid=admin,cn=users,cn=accounts,dc=ipa,dc=example",
> >> >> >> "gidnumber": [
> >> >> >> "138100"
> >> >> >> ],
> >> >> >> ...
> >> >> >>
> >> >> >>
> >> >> >>> HTTP loadbalancing is not difficult at all, as we post to the
> >> >> >>> webserver I need to have that part only auth right. We do more very
> >> >> >>> specific loadbalancing stuff and this is the most easy one as it's
> >> >> >>> only webserver forward, but IPA/Kerberos has an issue with the
> >> >> >>> principal it seems... it cannot be hard to make that accepted I
> >> >> >>> would
> >> >> >>> say.
> >> >> >> If you insist on Kerberos servers behind a load balancer... you will
> >> >> >> need to
> >> >> >> somehow share the Kerberos key among all servers. I will defer that
> >> >> >> to
> >> >> >> Kerberos experts here.
> >> >> >>
> >> >> >>> I'm still looking for sol
Re: [Freeipa-users] freeipa behind a load balancer
On Tue, 2015-03-31 at 12:53 -0400, Simo Sorce wrote:
> On Tue, 2015-03-31 at 11:41 -0400, Brendan Kearney wrote:
> > On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote:
> > > On 03/31/2015 10:38 AM, Matt . wrote:
> > > > True, but we have some extra later between which does the cli command
> > > > not usable (at least for the moment)
> > > >
> > > > I already know how to share the key's among all servers, that works
> > > > fine, IPA/Apache/Kerberos only doesn't like the other hostname
> > > > (loadbalancer), or the client doesn't understand it.
> > > >
> > > > So fixing this saves me really much more time than doing the another
> > > > way.
> > >
> > > Kerberos is not load balancer friendly. It is something that is a known
> > > property of Kerberos.
> > > I remember MIT mentioning something that they did or might do to help
> > > with that so it might make sense to ask this question on the MIT
> > > Kerberos user list.
> > >
> > > >
> > > > Thanks!
> > > >
> > > > Matt
> > > >
> > > > 2015-03-31 16:24 GMT+02:00 Petr Spacek :
> > > >> On 31.3.2015 16:10, Matt . wrote:
> > > >>> HI Petr,
> > > >>>
> > > >>> We had a several of reasons why we did that. We wanted to use one
> > > >>> language for that, and also have formatted returns. There was also
> > > >>> some security issue which came up.
> > > >> I would be very interested in the security reason. If you see any
> > > >> problem with
> > > >> 'ipa' command or FreeIPA API please send me a private e-mail or contact
> > > >> secal...@redhat.com directly.
> > > >>
> > > >>> I could ask you, why does IPA json itself ? if you see what it posts
> > > >>> and what it gets back as result it makes it much more clear in
> > > >>> development.
> > > >> I do not understand the question, sorry.
> > > >>
> > > >> If you want to see what 'ipa' command does run it with '-vv' parameter:
> > > >> $ ipa -vv user-find
> > > >>
> > > >> It will print JSON request and reply:
> > > >> ipa: INFO: Request: {
> > > >> "id": 0,
> > > >> "method": "user_find",
> > > >> "params": [
> > > >> [
> > > >> null
> > > >> ],
> > > >> {
> > > >> "all": false,
> > > >> "no_members": false,
> > > >> "pkey_only": false,
> > > >> "raw": false,
> > > >> "version": "2.115",
> > > >> "whoami": false
> > > >> }
> > > >> ]
> > > >> }
> > > >> ipa: INFO: Response: {
> > > >> "error": null,
> > > >> "id": 0,
> > > >> "principal": "admin@IPA.EXAMPLE",
> > > >> "result": {
> > > >> "count": 2,
> > > >> "result": [
> > > >> {
> > > >> "dn":
> > > >> "uid=admin,cn=users,cn=accounts,dc=ipa,dc=example",
> > > >> "gidnumber": [
> > > >> "138100"
> > > >> ],
> > > >> ...
> > > >>
> > > >>
> > > >>> HTTP loadbalancing is not difficult at all, as we post to the
> > > >>> webserver I need to have that part only auth right. We do more very
> > > >>> specific loadbalancing stuff and this is the most easy one as it's
> > > >>> only webserver forward, but IPA/Kerberos has an issue with the
> > > >>> principal it seems... it cannot be hard to make that accepted I would
> > > >>> say.
> > > >> If you insist on Kerberos servers behind a load balancer... you will
> > > >> need to
> > > >> somehow share the Kerberos key among all servers. I will defer that to
> > > >> Kerberos experts here.
> > > >>
> > > >>> I'm still looking for solutions :)
> > > >> Sure, but you will save a lot of time and nerves if you simply call
> > > >> 'ipa'
> > > >> command :-)
> > > >>
> > > >> Have a nice day!
> > > >>
> > > >> Petr^2 Spacek
> > > >>
> > > >>> Cheers,
> > > >>>
> > > >>> Matt
> > > >>>
> > > >>> 2015-03-31 15:58 GMT+02:00 Petr Spacek :
> > > On 31.3.2015 15:23, Matt . wrote:
> > > > Hi Petr,
> > > >
> > > > We discussed that before indeed, but SRV is not usable in this case.
> > > >
> > > > My clients are just webservers (apache) doing some executes of CURL
> > > > commands to ipa/json, actually the same commands as the webgui does
> > > > using json, but we curl it.
> > > >
> > > > Do you have a better view now ?
> > > Yes. If you have seen the previous discussion then you know that it
> > > will be
> > > pretty difficult to do this kind of load balancing.
> > >
> > > Why are you not using 'ipa' command or Python API we have instead?
> > > Why to use
> > > CURL and make things more complex?
> > >
> > > Petr^2 Spacek
> > >
> > > > 2015-03-31 15:03 GMT+02:00 Petr Spacek :
> > > >> On 31.3.2015 14:35, Matt . wrote:
> > > >>> Hi Petr,
> > > >>>
> > > >>> As this is not my topic it's for me quite "simple".
> > > >>>
> > > >>> I need to post to /ipa/json through a loadbalancer, nothing more.
> > > >>>
> > > >>> i have
> > >
Re: [Freeipa-users] freeipa behind a load balancer
On Tue, 2015-03-31 at 11:41 -0400, Brendan Kearney wrote:
> On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote:
> > On 03/31/2015 10:38 AM, Matt . wrote:
> > > True, but we have some extra later between which does the cli command
> > > not usable (at least for the moment)
> > >
> > > I already know how to share the key's among all servers, that works
> > > fine, IPA/Apache/Kerberos only doesn't like the other hostname
> > > (loadbalancer), or the client doesn't understand it.
> > >
> > > So fixing this saves me really much more time than doing the another way.
> >
> > Kerberos is not load balancer friendly. It is something that is a known
> > property of Kerberos.
> > I remember MIT mentioning something that they did or might do to help
> > with that so it might make sense to ask this question on the MIT
> > Kerberos user list.
> >
> > >
> > > Thanks!
> > >
> > > Matt
> > >
> > > 2015-03-31 16:24 GMT+02:00 Petr Spacek :
> > >> On 31.3.2015 16:10, Matt . wrote:
> > >>> HI Petr,
> > >>>
> > >>> We had a several of reasons why we did that. We wanted to use one
> > >>> language for that, and also have formatted returns. There was also
> > >>> some security issue which came up.
> > >> I would be very interested in the security reason. If you see any
> > >> problem with
> > >> 'ipa' command or FreeIPA API please send me a private e-mail or contact
> > >> secal...@redhat.com directly.
> > >>
> > >>> I could ask you, why does IPA json itself ? if you see what it posts
> > >>> and what it gets back as result it makes it much more clear in
> > >>> development.
> > >> I do not understand the question, sorry.
> > >>
> > >> If you want to see what 'ipa' command does run it with '-vv' parameter:
> > >> $ ipa -vv user-find
> > >>
> > >> It will print JSON request and reply:
> > >> ipa: INFO: Request: {
> > >> "id": 0,
> > >> "method": "user_find",
> > >> "params": [
> > >> [
> > >> null
> > >> ],
> > >> {
> > >> "all": false,
> > >> "no_members": false,
> > >> "pkey_only": false,
> > >> "raw": false,
> > >> "version": "2.115",
> > >> "whoami": false
> > >> }
> > >> ]
> > >> }
> > >> ipa: INFO: Response: {
> > >> "error": null,
> > >> "id": 0,
> > >> "principal": "admin@IPA.EXAMPLE",
> > >> "result": {
> > >> "count": 2,
> > >> "result": [
> > >> {
> > >> "dn":
> > >> "uid=admin,cn=users,cn=accounts,dc=ipa,dc=example",
> > >> "gidnumber": [
> > >> "138100"
> > >> ],
> > >> ...
> > >>
> > >>
> > >>> HTTP loadbalancing is not difficult at all, as we post to the
> > >>> webserver I need to have that part only auth right. We do more very
> > >>> specific loadbalancing stuff and this is the most easy one as it's
> > >>> only webserver forward, but IPA/Kerberos has an issue with the
> > >>> principal it seems... it cannot be hard to make that accepted I would
> > >>> say.
> > >> If you insist on Kerberos servers behind a load balancer... you will
> > >> need to
> > >> somehow share the Kerberos key among all servers. I will defer that to
> > >> Kerberos experts here.
> > >>
> > >>> I'm still looking for solutions :)
> > >> Sure, but you will save a lot of time and nerves if you simply call 'ipa'
> > >> command :-)
> > >>
> > >> Have a nice day!
> > >>
> > >> Petr^2 Spacek
> > >>
> > >>> Cheers,
> > >>>
> > >>> Matt
> > >>>
> > >>> 2015-03-31 15:58 GMT+02:00 Petr Spacek :
> > On 31.3.2015 15:23, Matt . wrote:
> > > Hi Petr,
> > >
> > > We discussed that before indeed, but SRV is not usable in this case.
> > >
> > > My clients are just webservers (apache) doing some executes of CURL
> > > commands to ipa/json, actually the same commands as the webgui does
> > > using json, but we curl it.
> > >
> > > Do you have a better view now ?
> > Yes. If you have seen the previous discussion then you know that it
> > will be
> > pretty difficult to do this kind of load balancing.
> >
> > Why are you not using 'ipa' command or Python API we have instead? Why
> > to use
> > CURL and make things more complex?
> >
> > Petr^2 Spacek
> >
> > > 2015-03-31 15:03 GMT+02:00 Petr Spacek :
> > >> On 31.3.2015 14:35, Matt . wrote:
> > >>> Hi Petr,
> > >>>
> > >>> As this is not my topic it's for me quite "simple".
> > >>>
> > >>> I need to post to /ipa/json through a loadbalancer, nothing more.
> > >>>
> > >>> i have
> > >>>
> > >>> ldap-01.domain.tld (ipa1)
> > >>> ldap-01.domain.tld (ipa2)
> > >>>
> > >>> and my loadbalancer is ldap.domain.tld
> > >>>
> > >>> ldap requests over a loadbalancer are quite simple and working, but
> > >>> the json part is more difficult because of the ticket and the dns
> > >>> name.
Re: [Freeipa-users] freeipa behind a load balancer
OK, that makes it even more clear.
an ldapwhoami might be an issue. As this client is known on a
different ldap server and I kinit to another ldap server. There is a
reason for this as we have out office network and our deployment
network. Users that manage are in the office ldap, user that are in
deployment are in the deployment ldap. I do my kinit
username@deployment.domain which works ok when I run my commands at
ipa-01.deployment.domain.
But when I want to do a ldapwhoami it tries to connect to the office
ldap server which is not working of course. (I get a connection error
atm, need to investigate as that server is running fine).
Get the idea ?
Thanks again!
Matt
2015-03-31 17:58 GMT+02:00 Brendan Kearney :
> On Tue, 2015-03-31 at 17:51 +0200, Matt . wrote:
>> Hi Brendan,
>>
>> Yes thanks for your great explanation, I have done that indeed. But in
>> some strange way, with only a 401 in access_log of apache I get a Non
>> valid ticket when I connect through my loadbalancer. I don't go "by"
>> my loadbalancer but through it (NAT) or should it go "by/next" to it ?
>>
>> I think we can get this fixed :)
>>
>> Thanks!
>>
>> Matt
>>
>> 2015-03-31 17:41 GMT+02:00 Brendan Kearney :
>> > On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote:
>> >> On 03/31/2015 10:38 AM, Matt . wrote:
>> >> > True, but we have some extra later between which does the cli command
>> >> > not usable (at least for the moment)
>> >> >
>> >> > I already know how to share the key's among all servers, that works
>> >> > fine, IPA/Apache/Kerberos only doesn't like the other hostname
>> >> > (loadbalancer), or the client doesn't understand it.
>> >> >
>> >> > So fixing this saves me really much more time than doing the another
>> >> > way.
>> >>
>> >> Kerberos is not load balancer friendly. It is something that is a known
>> >> property of Kerberos.
>> >> I remember MIT mentioning something that they did or might do to help
>> >> with that so it might make sense to ask this question on the MIT
>> >> Kerberos user list.
>> >>
>> >> >
>> >> > Thanks!
>> >> >
>> >> > Matt
>> >> >
>> >> > 2015-03-31 16:24 GMT+02:00 Petr Spacek :
>> >> >> On 31.3.2015 16:10, Matt . wrote:
>> >> >>> HI Petr,
>> >> >>>
>> >> >>> We had a several of reasons why we did that. We wanted to use one
>> >> >>> language for that, and also have formatted returns. There was also
>> >> >>> some security issue which came up.
>> >> >> I would be very interested in the security reason. If you see any
>> >> >> problem with
>> >> >> 'ipa' command or FreeIPA API please send me a private e-mail or contact
>> >> >> secal...@redhat.com directly.
>> >> >>
>> >> >>> I could ask you, why does IPA json itself ? if you see what it posts
>> >> >>> and what it gets back as result it makes it much more clear in
>> >> >>> development.
>> >> >> I do not understand the question, sorry.
>> >> >>
>> >> >> If you want to see what 'ipa' command does run it with '-vv' parameter:
>> >> >> $ ipa -vv user-find
>> >> >>
>> >> >> It will print JSON request and reply:
>> >> >> ipa: INFO: Request: {
>> >> >> "id": 0,
>> >> >> "method": "user_find",
>> >> >> "params": [
>> >> >> [
>> >> >> null
>> >> >> ],
>> >> >> {
>> >> >> "all": false,
>> >> >> "no_members": false,
>> >> >> "pkey_only": false,
>> >> >> "raw": false,
>> >> >> "version": "2.115",
>> >> >> "whoami": false
>> >> >> }
>> >> >> ]
>> >> >> }
>> >> >> ipa: INFO: Response: {
>> >> >> "error": null,
>> >> >> "id": 0,
>> >> >> "principal": "admin@IPA.EXAMPLE",
>> >> >> "result": {
>> >> >> "count": 2,
>> >> >> "result": [
>> >> >> {
>> >> >> "dn":
>> >> >> "uid=admin,cn=users,cn=accounts,dc=ipa,dc=example",
>> >> >> "gidnumber": [
>> >> >> "138100"
>> >> >> ],
>> >> >> ...
>> >> >>
>> >> >>
>> >> >>> HTTP loadbalancing is not difficult at all, as we post to the
>> >> >>> webserver I need to have that part only auth right. We do more very
>> >> >>> specific loadbalancing stuff and this is the most easy one as it's
>> >> >>> only webserver forward, but IPA/Kerberos has an issue with the
>> >> >>> principal it seems... it cannot be hard to make that accepted I would
>> >> >>> say.
>> >> >> If you insist on Kerberos servers behind a load balancer... you will
>> >> >> need to
>> >> >> somehow share the Kerberos key among all servers. I will defer that to
>> >> >> Kerberos experts here.
>> >> >>
>> >> >>> I'm still looking for solutions :)
>> >> >> Sure, but you will save a lot of time and nerves if you simply call
>> >> >> 'ipa'
>> >> >> command :-)
>> >> >>
>> >> >> Have a nice day!
>> >> >>
>> >> >> Petr^2 Spacek
>> >> >>
>> >> >>> Cheers,
>> >> >>>
>> >> >>> Matt
>> >> >>>
>> >> >>> 2015-03-31 15:58 GMT+02:00 Petr Spacek :
>> >> On 31.3.2015 15:23, Matt . wrote:
Re: [Freeipa-users] freeipa behind a load balancer
On Tue, 2015-03-31 at 17:51 +0200, Matt . wrote:
> Hi Brendan,
>
> Yes thanks for your great explanation, I have done that indeed. But in
> some strange way, with only a 401 in access_log of apache I get a Non
> valid ticket when I connect through my loadbalancer. I don't go "by"
> my loadbalancer but through it (NAT) or should it go "by/next" to it ?
>
> I think we can get this fixed :)
>
> Thanks!
>
> Matt
>
> 2015-03-31 17:41 GMT+02:00 Brendan Kearney :
> > On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote:
> >> On 03/31/2015 10:38 AM, Matt . wrote:
> >> > True, but we have some extra later between which does the cli command
> >> > not usable (at least for the moment)
> >> >
> >> > I already know how to share the key's among all servers, that works
> >> > fine, IPA/Apache/Kerberos only doesn't like the other hostname
> >> > (loadbalancer), or the client doesn't understand it.
> >> >
> >> > So fixing this saves me really much more time than doing the another way.
> >>
> >> Kerberos is not load balancer friendly. It is something that is a known
> >> property of Kerberos.
> >> I remember MIT mentioning something that they did or might do to help
> >> with that so it might make sense to ask this question on the MIT
> >> Kerberos user list.
> >>
> >> >
> >> > Thanks!
> >> >
> >> > Matt
> >> >
> >> > 2015-03-31 16:24 GMT+02:00 Petr Spacek :
> >> >> On 31.3.2015 16:10, Matt . wrote:
> >> >>> HI Petr,
> >> >>>
> >> >>> We had a several of reasons why we did that. We wanted to use one
> >> >>> language for that, and also have formatted returns. There was also
> >> >>> some security issue which came up.
> >> >> I would be very interested in the security reason. If you see any
> >> >> problem with
> >> >> 'ipa' command or FreeIPA API please send me a private e-mail or contact
> >> >> secal...@redhat.com directly.
> >> >>
> >> >>> I could ask you, why does IPA json itself ? if you see what it posts
> >> >>> and what it gets back as result it makes it much more clear in
> >> >>> development.
> >> >> I do not understand the question, sorry.
> >> >>
> >> >> If you want to see what 'ipa' command does run it with '-vv' parameter:
> >> >> $ ipa -vv user-find
> >> >>
> >> >> It will print JSON request and reply:
> >> >> ipa: INFO: Request: {
> >> >> "id": 0,
> >> >> "method": "user_find",
> >> >> "params": [
> >> >> [
> >> >> null
> >> >> ],
> >> >> {
> >> >> "all": false,
> >> >> "no_members": false,
> >> >> "pkey_only": false,
> >> >> "raw": false,
> >> >> "version": "2.115",
> >> >> "whoami": false
> >> >> }
> >> >> ]
> >> >> }
> >> >> ipa: INFO: Response: {
> >> >> "error": null,
> >> >> "id": 0,
> >> >> "principal": "admin@IPA.EXAMPLE",
> >> >> "result": {
> >> >> "count": 2,
> >> >> "result": [
> >> >> {
> >> >> "dn":
> >> >> "uid=admin,cn=users,cn=accounts,dc=ipa,dc=example",
> >> >> "gidnumber": [
> >> >> "138100"
> >> >> ],
> >> >> ...
> >> >>
> >> >>
> >> >>> HTTP loadbalancing is not difficult at all, as we post to the
> >> >>> webserver I need to have that part only auth right. We do more very
> >> >>> specific loadbalancing stuff and this is the most easy one as it's
> >> >>> only webserver forward, but IPA/Kerberos has an issue with the
> >> >>> principal it seems... it cannot be hard to make that accepted I would
> >> >>> say.
> >> >> If you insist on Kerberos servers behind a load balancer... you will
> >> >> need to
> >> >> somehow share the Kerberos key among all servers. I will defer that to
> >> >> Kerberos experts here.
> >> >>
> >> >>> I'm still looking for solutions :)
> >> >> Sure, but you will save a lot of time and nerves if you simply call
> >> >> 'ipa'
> >> >> command :-)
> >> >>
> >> >> Have a nice day!
> >> >>
> >> >> Petr^2 Spacek
> >> >>
> >> >>> Cheers,
> >> >>>
> >> >>> Matt
> >> >>>
> >> >>> 2015-03-31 15:58 GMT+02:00 Petr Spacek :
> >> On 31.3.2015 15:23, Matt . wrote:
> >> > Hi Petr,
> >> >
> >> > We discussed that before indeed, but SRV is not usable in this case.
> >> >
> >> > My clients are just webservers (apache) doing some executes of CURL
> >> > commands to ipa/json, actually the same commands as the webgui does
> >> > using json, but we curl it.
> >> >
> >> > Do you have a better view now ?
> >> Yes. If you have seen the previous discussion then you know that it
> >> will be
> >> pretty difficult to do this kind of load balancing.
> >>
> >> Why are you not using 'ipa' command or Python API we have instead?
> >> Why to use
> >> CURL and make things more complex?
> >>
> >> Petr^2 Spacek
> >>
> >> > 2015-03-31 15:03 GMT+02:00 Petr Spacek :
> >> >> On 31.3.2015 14:35, Matt . wrote:
> >> >>> Hi Petr,
Re: [Freeipa-users] freeipa behind a load balancer
Hi Brendan,
Yes thanks for your great explanation, I have done that indeed. But in
some strange way, with only a 401 in access_log of apache I get a Non
valid ticket when I connect through my loadbalancer. I don't go "by"
my loadbalancer but through it (NAT) or should it go "by/next" to it ?
I think we can get this fixed :)
Thanks!
Matt
2015-03-31 17:41 GMT+02:00 Brendan Kearney :
> On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote:
>> On 03/31/2015 10:38 AM, Matt . wrote:
>> > True, but we have some extra later between which does the cli command
>> > not usable (at least for the moment)
>> >
>> > I already know how to share the key's among all servers, that works
>> > fine, IPA/Apache/Kerberos only doesn't like the other hostname
>> > (loadbalancer), or the client doesn't understand it.
>> >
>> > So fixing this saves me really much more time than doing the another way.
>>
>> Kerberos is not load balancer friendly. It is something that is a known
>> property of Kerberos.
>> I remember MIT mentioning something that they did or might do to help
>> with that so it might make sense to ask this question on the MIT
>> Kerberos user list.
>>
>> >
>> > Thanks!
>> >
>> > Matt
>> >
>> > 2015-03-31 16:24 GMT+02:00 Petr Spacek :
>> >> On 31.3.2015 16:10, Matt . wrote:
>> >>> HI Petr,
>> >>>
>> >>> We had a several of reasons why we did that. We wanted to use one
>> >>> language for that, and also have formatted returns. There was also
>> >>> some security issue which came up.
>> >> I would be very interested in the security reason. If you see any problem
>> >> with
>> >> 'ipa' command or FreeIPA API please send me a private e-mail or contact
>> >> secal...@redhat.com directly.
>> >>
>> >>> I could ask you, why does IPA json itself ? if you see what it posts
>> >>> and what it gets back as result it makes it much more clear in
>> >>> development.
>> >> I do not understand the question, sorry.
>> >>
>> >> If you want to see what 'ipa' command does run it with '-vv' parameter:
>> >> $ ipa -vv user-find
>> >>
>> >> It will print JSON request and reply:
>> >> ipa: INFO: Request: {
>> >> "id": 0,
>> >> "method": "user_find",
>> >> "params": [
>> >> [
>> >> null
>> >> ],
>> >> {
>> >> "all": false,
>> >> "no_members": false,
>> >> "pkey_only": false,
>> >> "raw": false,
>> >> "version": "2.115",
>> >> "whoami": false
>> >> }
>> >> ]
>> >> }
>> >> ipa: INFO: Response: {
>> >> "error": null,
>> >> "id": 0,
>> >> "principal": "admin@IPA.EXAMPLE",
>> >> "result": {
>> >> "count": 2,
>> >> "result": [
>> >> {
>> >> "dn": "uid=admin,cn=users,cn=accounts,dc=ipa,dc=example",
>> >> "gidnumber": [
>> >> "138100"
>> >> ],
>> >> ...
>> >>
>> >>
>> >>> HTTP loadbalancing is not difficult at all, as we post to the
>> >>> webserver I need to have that part only auth right. We do more very
>> >>> specific loadbalancing stuff and this is the most easy one as it's
>> >>> only webserver forward, but IPA/Kerberos has an issue with the
>> >>> principal it seems... it cannot be hard to make that accepted I would
>> >>> say.
>> >> If you insist on Kerberos servers behind a load balancer... you will need
>> >> to
>> >> somehow share the Kerberos key among all servers. I will defer that to
>> >> Kerberos experts here.
>> >>
>> >>> I'm still looking for solutions :)
>> >> Sure, but you will save a lot of time and nerves if you simply call 'ipa'
>> >> command :-)
>> >>
>> >> Have a nice day!
>> >>
>> >> Petr^2 Spacek
>> >>
>> >>> Cheers,
>> >>>
>> >>> Matt
>> >>>
>> >>> 2015-03-31 15:58 GMT+02:00 Petr Spacek :
>> On 31.3.2015 15:23, Matt . wrote:
>> > Hi Petr,
>> >
>> > We discussed that before indeed, but SRV is not usable in this case.
>> >
>> > My clients are just webservers (apache) doing some executes of CURL
>> > commands to ipa/json, actually the same commands as the webgui does
>> > using json, but we curl it.
>> >
>> > Do you have a better view now ?
>> Yes. If you have seen the previous discussion then you know that it
>> will be
>> pretty difficult to do this kind of load balancing.
>>
>> Why are you not using 'ipa' command or Python API we have instead? Why
>> to use
>> CURL and make things more complex?
>>
>> Petr^2 Spacek
>>
>> > 2015-03-31 15:03 GMT+02:00 Petr Spacek :
>> >> On 31.3.2015 14:35, Matt . wrote:
>> >>> Hi Petr,
>> >>>
>> >>> As this is not my topic it's for me quite "simple".
>> >>>
>> >>> I need to post to /ipa/json through a loadbalancer, nothing more.
>> >>>
>> >>> i have
>> >>>
>> >>> ldap-01.domain.tld (ipa1)
>> >>> ldap-01.domain.tld (ipa2)
>> >>>
>> >>> and my loadbalancer is ldap.domain.tld
>
Re: [Freeipa-users] freeipa behind a load balancer
On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote:
> On 03/31/2015 10:38 AM, Matt . wrote:
> > True, but we have some extra later between which does the cli command
> > not usable (at least for the moment)
> >
> > I already know how to share the key's among all servers, that works
> > fine, IPA/Apache/Kerberos only doesn't like the other hostname
> > (loadbalancer), or the client doesn't understand it.
> >
> > So fixing this saves me really much more time than doing the another way.
>
> Kerberos is not load balancer friendly. It is something that is a known
> property of Kerberos.
> I remember MIT mentioning something that they did or might do to help
> with that so it might make sense to ask this question on the MIT
> Kerberos user list.
>
> >
> > Thanks!
> >
> > Matt
> >
> > 2015-03-31 16:24 GMT+02:00 Petr Spacek :
> >> On 31.3.2015 16:10, Matt . wrote:
> >>> HI Petr,
> >>>
> >>> We had a several of reasons why we did that. We wanted to use one
> >>> language for that, and also have formatted returns. There was also
> >>> some security issue which came up.
> >> I would be very interested in the security reason. If you see any problem
> >> with
> >> 'ipa' command or FreeIPA API please send me a private e-mail or contact
> >> secal...@redhat.com directly.
> >>
> >>> I could ask you, why does IPA json itself ? if you see what it posts
> >>> and what it gets back as result it makes it much more clear in
> >>> development.
> >> I do not understand the question, sorry.
> >>
> >> If you want to see what 'ipa' command does run it with '-vv' parameter:
> >> $ ipa -vv user-find
> >>
> >> It will print JSON request and reply:
> >> ipa: INFO: Request: {
> >> "id": 0,
> >> "method": "user_find",
> >> "params": [
> >> [
> >> null
> >> ],
> >> {
> >> "all": false,
> >> "no_members": false,
> >> "pkey_only": false,
> >> "raw": false,
> >> "version": "2.115",
> >> "whoami": false
> >> }
> >> ]
> >> }
> >> ipa: INFO: Response: {
> >> "error": null,
> >> "id": 0,
> >> "principal": "admin@IPA.EXAMPLE",
> >> "result": {
> >> "count": 2,
> >> "result": [
> >> {
> >> "dn": "uid=admin,cn=users,cn=accounts,dc=ipa,dc=example",
> >> "gidnumber": [
> >> "138100"
> >> ],
> >> ...
> >>
> >>
> >>> HTTP loadbalancing is not difficult at all, as we post to the
> >>> webserver I need to have that part only auth right. We do more very
> >>> specific loadbalancing stuff and this is the most easy one as it's
> >>> only webserver forward, but IPA/Kerberos has an issue with the
> >>> principal it seems... it cannot be hard to make that accepted I would
> >>> say.
> >> If you insist on Kerberos servers behind a load balancer... you will need
> >> to
> >> somehow share the Kerberos key among all servers. I will defer that to
> >> Kerberos experts here.
> >>
> >>> I'm still looking for solutions :)
> >> Sure, but you will save a lot of time and nerves if you simply call 'ipa'
> >> command :-)
> >>
> >> Have a nice day!
> >>
> >> Petr^2 Spacek
> >>
> >>> Cheers,
> >>>
> >>> Matt
> >>>
> >>> 2015-03-31 15:58 GMT+02:00 Petr Spacek :
> On 31.3.2015 15:23, Matt . wrote:
> > Hi Petr,
> >
> > We discussed that before indeed, but SRV is not usable in this case.
> >
> > My clients are just webservers (apache) doing some executes of CURL
> > commands to ipa/json, actually the same commands as the webgui does
> > using json, but we curl it.
> >
> > Do you have a better view now ?
> Yes. If you have seen the previous discussion then you know that it will
> be
> pretty difficult to do this kind of load balancing.
>
> Why are you not using 'ipa' command or Python API we have instead? Why
> to use
> CURL and make things more complex?
>
> Petr^2 Spacek
>
> > 2015-03-31 15:03 GMT+02:00 Petr Spacek :
> >> On 31.3.2015 14:35, Matt . wrote:
> >>> Hi Petr,
> >>>
> >>> As this is not my topic it's for me quite "simple".
> >>>
> >>> I need to post to /ipa/json through a loadbalancer, nothing more.
> >>>
> >>> i have
> >>>
> >>> ldap-01.domain.tld (ipa1)
> >>> ldap-01.domain.tld (ipa2)
> >>>
> >>> and my loadbalancer is ldap.domain.tld
> >>>
> >>> ldap requests over a loadbalancer are quite simple and working, but
> >>> the json part is more difficult because of the ticket and the dns
> >>> name. I have added a san ldap.domain.tld to the webgui and there is a
> >>> http/ldap.domain.tld service on the ipa server.
> >>>
> >>> I get a nonvalid kerberos ticket when I go through ldap.domain.tld to
> >>> ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld
> >>> after it failed my ticket is OK for l
Re: [Freeipa-users] freeipa behind a load balancer
On 03/31/2015 10:38 AM, Matt . wrote:
True, but we have some extra later between which does the cli command
not usable (at least for the moment)
I already know how to share the key's among all servers, that works
fine, IPA/Apache/Kerberos only doesn't like the other hostname
(loadbalancer), or the client doesn't understand it.
So fixing this saves me really much more time than doing the another way.
Kerberos is not load balancer friendly. It is something that is a known
property of Kerberos.
I remember MIT mentioning something that they did or might do to help
with that so it might make sense to ask this question on the MIT
Kerberos user list.
Thanks!
Matt
2015-03-31 16:24 GMT+02:00 Petr Spacek :
On 31.3.2015 16:10, Matt . wrote:
HI Petr,
We had a several of reasons why we did that. We wanted to use one
language for that, and also have formatted returns. There was also
some security issue which came up.
I would be very interested in the security reason. If you see any problem with
'ipa' command or FreeIPA API please send me a private e-mail or contact
secal...@redhat.com directly.
I could ask you, why does IPA json itself ? if you see what it posts
and what it gets back as result it makes it much more clear in
development.
I do not understand the question, sorry.
If you want to see what 'ipa' command does run it with '-vv' parameter:
$ ipa -vv user-find
It will print JSON request and reply:
ipa: INFO: Request: {
"id": 0,
"method": "user_find",
"params": [
[
null
],
{
"all": false,
"no_members": false,
"pkey_only": false,
"raw": false,
"version": "2.115",
"whoami": false
}
]
}
ipa: INFO: Response: {
"error": null,
"id": 0,
"principal": "admin@IPA.EXAMPLE",
"result": {
"count": 2,
"result": [
{
"dn": "uid=admin,cn=users,cn=accounts,dc=ipa,dc=example",
"gidnumber": [
"138100"
],
...
HTTP loadbalancing is not difficult at all, as we post to the
webserver I need to have that part only auth right. We do more very
specific loadbalancing stuff and this is the most easy one as it's
only webserver forward, but IPA/Kerberos has an issue with the
principal it seems... it cannot be hard to make that accepted I would
say.
If you insist on Kerberos servers behind a load balancer... you will need to
somehow share the Kerberos key among all servers. I will defer that to
Kerberos experts here.
I'm still looking for solutions :)
Sure, but you will save a lot of time and nerves if you simply call 'ipa'
command :-)
Have a nice day!
Petr^2 Spacek
Cheers,
Matt
2015-03-31 15:58 GMT+02:00 Petr Spacek :
On 31.3.2015 15:23, Matt . wrote:
Hi Petr,
We discussed that before indeed, but SRV is not usable in this case.
My clients are just webservers (apache) doing some executes of CURL
commands to ipa/json, actually the same commands as the webgui does
using json, but we curl it.
Do you have a better view now ?
Yes. If you have seen the previous discussion then you know that it will be
pretty difficult to do this kind of load balancing.
Why are you not using 'ipa' command or Python API we have instead? Why to use
CURL and make things more complex?
Petr^2 Spacek
2015-03-31 15:03 GMT+02:00 Petr Spacek :
On 31.3.2015 14:35, Matt . wrote:
Hi Petr,
As this is not my topic it's for me quite "simple".
I need to post to /ipa/json through a loadbalancer, nothing more.
i have
ldap-01.domain.tld (ipa1)
ldap-01.domain.tld (ipa2)
and my loadbalancer is ldap.domain.tld
ldap requests over a loadbalancer are quite simple and working, but
the json part is more difficult because of the ticket and the dns
name. I have added a san ldap.domain.tld to the webgui and there is a
http/ldap.domain.tld service on the ipa server.
I get a nonvalid kerberos ticket when I go through ldap.domain.tld to
ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld
after it failed my ticket is OK for ldap-01.domain.tld and works.
Is this enough information for you ?
Well, I still do not understand the use case. What are your clients? Are you
using 'ipa' command to do something? Or some other clients?
Usually the best thing is to use DNS SRV records because it works even with
geographically distributed clusters and does not have single point of failure
(the load balancer).
This requires clients with support for DNS SRV but if your machines are using
SSSD then you do not need to change anything and it should just work.
That is why I'm asking for the use case :-)
Petr^2 Spacek
2015-03-31 14:21 GMT+02:00 Petr Spacek :
On 31.3.2015 14:02, Matt . wrote:
HI Phasant,
Check my mailings about it, it's not easy at least the kerberos part
not, SRV records are used for that normally.
Are you talking about the webgui or the ldap part ?
I wo
Re: [Freeipa-users] freeipa behind a load balancer
True, but we have some extra later between which does the cli command
not usable (at least for the moment)
I already know how to share the key's among all servers, that works
fine, IPA/Apache/Kerberos only doesn't like the other hostname
(loadbalancer), or the client doesn't understand it.
So fixing this saves me really much more time than doing the another way.
Thanks!
Matt
2015-03-31 16:24 GMT+02:00 Petr Spacek :
> On 31.3.2015 16:10, Matt . wrote:
>> HI Petr,
>>
>> We had a several of reasons why we did that. We wanted to use one
>> language for that, and also have formatted returns. There was also
>> some security issue which came up.
>
> I would be very interested in the security reason. If you see any problem with
> 'ipa' command or FreeIPA API please send me a private e-mail or contact
> secal...@redhat.com directly.
>
>> I could ask you, why does IPA json itself ? if you see what it posts
>> and what it gets back as result it makes it much more clear in
>> development.
>
> I do not understand the question, sorry.
>
> If you want to see what 'ipa' command does run it with '-vv' parameter:
> $ ipa -vv user-find
>
> It will print JSON request and reply:
> ipa: INFO: Request: {
> "id": 0,
> "method": "user_find",
> "params": [
> [
> null
> ],
> {
> "all": false,
> "no_members": false,
> "pkey_only": false,
> "raw": false,
> "version": "2.115",
> "whoami": false
> }
> ]
> }
> ipa: INFO: Response: {
> "error": null,
> "id": 0,
> "principal": "admin@IPA.EXAMPLE",
> "result": {
> "count": 2,
> "result": [
> {
> "dn": "uid=admin,cn=users,cn=accounts,dc=ipa,dc=example",
> "gidnumber": [
> "138100"
> ],
> ...
>
>
>> HTTP loadbalancing is not difficult at all, as we post to the
>> webserver I need to have that part only auth right. We do more very
>> specific loadbalancing stuff and this is the most easy one as it's
>> only webserver forward, but IPA/Kerberos has an issue with the
>> principal it seems... it cannot be hard to make that accepted I would
>> say.
>
> If you insist on Kerberos servers behind a load balancer... you will need to
> somehow share the Kerberos key among all servers. I will defer that to
> Kerberos experts here.
>
>> I'm still looking for solutions :)
>
> Sure, but you will save a lot of time and nerves if you simply call 'ipa'
> command :-)
>
> Have a nice day!
>
> Petr^2 Spacek
>
>> Cheers,
>>
>> Matt
>>
>> 2015-03-31 15:58 GMT+02:00 Petr Spacek :
>>> On 31.3.2015 15:23, Matt . wrote:
Hi Petr,
We discussed that before indeed, but SRV is not usable in this case.
My clients are just webservers (apache) doing some executes of CURL
commands to ipa/json, actually the same commands as the webgui does
using json, but we curl it.
Do you have a better view now ?
>>>
>>> Yes. If you have seen the previous discussion then you know that it will be
>>> pretty difficult to do this kind of load balancing.
>>>
>>> Why are you not using 'ipa' command or Python API we have instead? Why to
>>> use
>>> CURL and make things more complex?
>>>
>>> Petr^2 Spacek
>>>
2015-03-31 15:03 GMT+02:00 Petr Spacek :
> On 31.3.2015 14:35, Matt . wrote:
>> Hi Petr,
>>
>> As this is not my topic it's for me quite "simple".
>>
>> I need to post to /ipa/json through a loadbalancer, nothing more.
>>
>> i have
>>
>> ldap-01.domain.tld (ipa1)
>> ldap-01.domain.tld (ipa2)
>>
>> and my loadbalancer is ldap.domain.tld
>>
>> ldap requests over a loadbalancer are quite simple and working, but
>> the json part is more difficult because of the ticket and the dns
>> name. I have added a san ldap.domain.tld to the webgui and there is a
>> http/ldap.domain.tld service on the ipa server.
>>
>> I get a nonvalid kerberos ticket when I go through ldap.domain.tld to
>> ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld
>> after it failed my ticket is OK for ldap-01.domain.tld and works.
>>
>> Is this enough information for you ?
>
> Well, I still do not understand the use case. What are your clients? Are
> you
> using 'ipa' command to do something? Or some other clients?
>
> Usually the best thing is to use DNS SRV records because it works even
> with
> geographically distributed clusters and does not have single point of
> failure
> (the load balancer).
>
> This requires clients with support for DNS SRV but if your machines are
> using
> SSSD then you do not need to change anything and it should just work.
>
> That is why I'm asking for the use case :-)
>
> Petr^2 Spacek
>
>> 2015-03-31 14:21 GMT+02:00 Petr Spacek :
>>> On 31.3.2015 14:02, Ma
Re: [Freeipa-users] freeipa behind a load balancer
On 31.3.2015 16:10, Matt . wrote:
> HI Petr,
>
> We had a several of reasons why we did that. We wanted to use one
> language for that, and also have formatted returns. There was also
> some security issue which came up.
I would be very interested in the security reason. If you see any problem with
'ipa' command or FreeIPA API please send me a private e-mail or contact
secal...@redhat.com directly.
> I could ask you, why does IPA json itself ? if you see what it posts
> and what it gets back as result it makes it much more clear in
> development.
I do not understand the question, sorry.
If you want to see what 'ipa' command does run it with '-vv' parameter:
$ ipa -vv user-find
It will print JSON request and reply:
ipa: INFO: Request: {
"id": 0,
"method": "user_find",
"params": [
[
null
],
{
"all": false,
"no_members": false,
"pkey_only": false,
"raw": false,
"version": "2.115",
"whoami": false
}
]
}
ipa: INFO: Response: {
"error": null,
"id": 0,
"principal": "admin@IPA.EXAMPLE",
"result": {
"count": 2,
"result": [
{
"dn": "uid=admin,cn=users,cn=accounts,dc=ipa,dc=example",
"gidnumber": [
"138100"
],
...
> HTTP loadbalancing is not difficult at all, as we post to the
> webserver I need to have that part only auth right. We do more very
> specific loadbalancing stuff and this is the most easy one as it's
> only webserver forward, but IPA/Kerberos has an issue with the
> principal it seems... it cannot be hard to make that accepted I would
> say.
If you insist on Kerberos servers behind a load balancer... you will need to
somehow share the Kerberos key among all servers. I will defer that to
Kerberos experts here.
> I'm still looking for solutions :)
Sure, but you will save a lot of time and nerves if you simply call 'ipa'
command :-)
Have a nice day!
Petr^2 Spacek
> Cheers,
>
> Matt
>
> 2015-03-31 15:58 GMT+02:00 Petr Spacek :
>> On 31.3.2015 15:23, Matt . wrote:
>>> Hi Petr,
>>>
>>> We discussed that before indeed, but SRV is not usable in this case.
>>>
>>> My clients are just webservers (apache) doing some executes of CURL
>>> commands to ipa/json, actually the same commands as the webgui does
>>> using json, but we curl it.
>>>
>>> Do you have a better view now ?
>>
>> Yes. If you have seen the previous discussion then you know that it will be
>> pretty difficult to do this kind of load balancing.
>>
>> Why are you not using 'ipa' command or Python API we have instead? Why to use
>> CURL and make things more complex?
>>
>> Petr^2 Spacek
>>
>>> 2015-03-31 15:03 GMT+02:00 Petr Spacek :
On 31.3.2015 14:35, Matt . wrote:
> Hi Petr,
>
> As this is not my topic it's for me quite "simple".
>
> I need to post to /ipa/json through a loadbalancer, nothing more.
>
> i have
>
> ldap-01.domain.tld (ipa1)
> ldap-01.domain.tld (ipa2)
>
> and my loadbalancer is ldap.domain.tld
>
> ldap requests over a loadbalancer are quite simple and working, but
> the json part is more difficult because of the ticket and the dns
> name. I have added a san ldap.domain.tld to the webgui and there is a
> http/ldap.domain.tld service on the ipa server.
>
> I get a nonvalid kerberos ticket when I go through ldap.domain.tld to
> ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld
> after it failed my ticket is OK for ldap-01.domain.tld and works.
>
> Is this enough information for you ?
Well, I still do not understand the use case. What are your clients? Are
you
using 'ipa' command to do something? Or some other clients?
Usually the best thing is to use DNS SRV records because it works even with
geographically distributed clusters and does not have single point of
failure
(the load balancer).
This requires clients with support for DNS SRV but if your machines are
using
SSSD then you do not need to change anything and it should just work.
That is why I'm asking for the use case :-)
Petr^2 Spacek
> 2015-03-31 14:21 GMT+02:00 Petr Spacek :
>> On 31.3.2015 14:02, Matt . wrote:
>>> HI Phasant,
>>>
>>> Check my mailings about it, it's not easy at least the kerberos part
>>> not, SRV records are used for that normally.
>>>
>>> Are you talking about the webgui or the ldap part ?
>>
>> I would recommend you to step back and describe use-case you have in
>> mind. It
>> is important for us to understand to your use-case to propose optimal
>> solution.
>>
>> Petr^2 Spacek
>>
>>> Cheers,
>>>
>>> Matt
>>>
>>> 2015-03-31 13:56 GMT+02:00 Prashant Bapat :
Hi,
I'm trying to get 2 Free
Re: [Freeipa-users] freeipa behind a load balancer
Just the web UI. Thanks. --Prashant On Mar 31, 2015 5:32 PM, "Matt ." wrote: > HI Phasant, > > Check my mailings about it, it's not easy at least the kerberos part > not, SRV records are used for that normally. > > Are you talking about the webgui or the ldap part ? > > Cheers, > > Matt > > 2015-03-31 13:56 GMT+02:00 Prashant Bapat : > > Hi, > > > > I'm trying to get 2 FreeIPA servers in a replicated mode behind a load > > balancer, specifically Amazon ELB. > > > > I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks > like > > there is more to it than just this file. > > > > Any suggestions ? > > > > Thanks. > > --Prashant > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
HI Petr, We had a several of reasons why we did that. We wanted to use one language for that, and also have formatted returns. There was also some security issue which came up. I could ask you, why does IPA json itself ? if you see what it posts and what it gets back as result it makes it much more clear in development. HTTP loadbalancing is not difficult at all, as we post to the webserver I need to have that part only auth right. We do more very specific loadbalancing stuff and this is the most easy one as it's only webserver forward, but IPA/Kerberos has an issue with the principal it seems... it cannot be hard to make that accepted I would say. I'm still looking for solutions :) Cheers, Matt 2015-03-31 15:58 GMT+02:00 Petr Spacek : > On 31.3.2015 15:23, Matt . wrote: >> Hi Petr, >> >> We discussed that before indeed, but SRV is not usable in this case. >> >> My clients are just webservers (apache) doing some executes of CURL >> commands to ipa/json, actually the same commands as the webgui does >> using json, but we curl it. >> >> Do you have a better view now ? > > Yes. If you have seen the previous discussion then you know that it will be > pretty difficult to do this kind of load balancing. > > Why are you not using 'ipa' command or Python API we have instead? Why to use > CURL and make things more complex? > > Petr^2 Spacek > >> 2015-03-31 15:03 GMT+02:00 Petr Spacek : >>> On 31.3.2015 14:35, Matt . wrote: Hi Petr, As this is not my topic it's for me quite "simple". I need to post to /ipa/json through a loadbalancer, nothing more. i have ldap-01.domain.tld (ipa1) ldap-01.domain.tld (ipa2) and my loadbalancer is ldap.domain.tld ldap requests over a loadbalancer are quite simple and working, but the json part is more difficult because of the ticket and the dns name. I have added a san ldap.domain.tld to the webgui and there is a http/ldap.domain.tld service on the ipa server. I get a nonvalid kerberos ticket when I go through ldap.domain.tld to ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld after it failed my ticket is OK for ldap-01.domain.tld and works. Is this enough information for you ? >>> >>> Well, I still do not understand the use case. What are your clients? Are you >>> using 'ipa' command to do something? Or some other clients? >>> >>> Usually the best thing is to use DNS SRV records because it works even with >>> geographically distributed clusters and does not have single point of >>> failure >>> (the load balancer). >>> >>> This requires clients with support for DNS SRV but if your machines are >>> using >>> SSSD then you do not need to change anything and it should just work. >>> >>> That is why I'm asking for the use case :-) >>> >>> Petr^2 Spacek >>> 2015-03-31 14:21 GMT+02:00 Petr Spacek : > On 31.3.2015 14:02, Matt . wrote: >> HI Phasant, >> >> Check my mailings about it, it's not easy at least the kerberos part >> not, SRV records are used for that normally. >> >> Are you talking about the webgui or the ldap part ? > > I would recommend you to step back and describe use-case you have in > mind. It > is important for us to understand to your use-case to propose optimal > solution. > > Petr^2 Spacek > >> Cheers, >> >> Matt >> >> 2015-03-31 13:56 GMT+02:00 Prashant Bapat : >>> Hi, >>> >>> I'm trying to get 2 FreeIPA servers in a replicated mode behind a load >>> balancer, specifically Amazon ELB. >>> >>> I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks >>> like >>> there is more to it than just this file. >>> >>> Any suggestions ? >>> >>> Thanks. >>> --Prashant > > > -- > Petr Spacek @ Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
On 31.3.2015 15:23, Matt . wrote: > Hi Petr, > > We discussed that before indeed, but SRV is not usable in this case. > > My clients are just webservers (apache) doing some executes of CURL > commands to ipa/json, actually the same commands as the webgui does > using json, but we curl it. > > Do you have a better view now ? Yes. If you have seen the previous discussion then you know that it will be pretty difficult to do this kind of load balancing. Why are you not using 'ipa' command or Python API we have instead? Why to use CURL and make things more complex? Petr^2 Spacek > 2015-03-31 15:03 GMT+02:00 Petr Spacek : >> On 31.3.2015 14:35, Matt . wrote: >>> Hi Petr, >>> >>> As this is not my topic it's for me quite "simple". >>> >>> I need to post to /ipa/json through a loadbalancer, nothing more. >>> >>> i have >>> >>> ldap-01.domain.tld (ipa1) >>> ldap-01.domain.tld (ipa2) >>> >>> and my loadbalancer is ldap.domain.tld >>> >>> ldap requests over a loadbalancer are quite simple and working, but >>> the json part is more difficult because of the ticket and the dns >>> name. I have added a san ldap.domain.tld to the webgui and there is a >>> http/ldap.domain.tld service on the ipa server. >>> >>> I get a nonvalid kerberos ticket when I go through ldap.domain.tld to >>> ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld >>> after it failed my ticket is OK for ldap-01.domain.tld and works. >>> >>> Is this enough information for you ? >> >> Well, I still do not understand the use case. What are your clients? Are you >> using 'ipa' command to do something? Or some other clients? >> >> Usually the best thing is to use DNS SRV records because it works even with >> geographically distributed clusters and does not have single point of failure >> (the load balancer). >> >> This requires clients with support for DNS SRV but if your machines are using >> SSSD then you do not need to change anything and it should just work. >> >> That is why I'm asking for the use case :-) >> >> Petr^2 Spacek >> >>> 2015-03-31 14:21 GMT+02:00 Petr Spacek : On 31.3.2015 14:02, Matt . wrote: > HI Phasant, > > Check my mailings about it, it's not easy at least the kerberos part > not, SRV records are used for that normally. > > Are you talking about the webgui or the ldap part ? I would recommend you to step back and describe use-case you have in mind. It is important for us to understand to your use-case to propose optimal solution. Petr^2 Spacek > Cheers, > > Matt > > 2015-03-31 13:56 GMT+02:00 Prashant Bapat : >> Hi, >> >> I'm trying to get 2 FreeIPA servers in a replicated mode behind a load >> balancer, specifically Amazon ELB. >> >> I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks >> like >> there is more to it than just this file. >> >> Any suggestions ? >> >> Thanks. >> --Prashant -- Petr Spacek @ Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
Hi Petr, We discussed that before indeed, but SRV is not usable in this case. My clients are just webservers (apache) doing some executes of CURL commands to ipa/json, actually the same commands as the webgui does using json, but we curl it. Do you have a better view now ? Cheers, Matt 2015-03-31 15:03 GMT+02:00 Petr Spacek : > On 31.3.2015 14:35, Matt . wrote: >> Hi Petr, >> >> As this is not my topic it's for me quite "simple". >> >> I need to post to /ipa/json through a loadbalancer, nothing more. >> >> i have >> >> ldap-01.domain.tld (ipa1) >> ldap-01.domain.tld (ipa2) >> >> and my loadbalancer is ldap.domain.tld >> >> ldap requests over a loadbalancer are quite simple and working, but >> the json part is more difficult because of the ticket and the dns >> name. I have added a san ldap.domain.tld to the webgui and there is a >> http/ldap.domain.tld service on the ipa server. >> >> I get a nonvalid kerberos ticket when I go through ldap.domain.tld to >> ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld >> after it failed my ticket is OK for ldap-01.domain.tld and works. >> >> Is this enough information for you ? > > Well, I still do not understand the use case. What are your clients? Are you > using 'ipa' command to do something? Or some other clients? > > Usually the best thing is to use DNS SRV records because it works even with > geographically distributed clusters and does not have single point of failure > (the load balancer). > > This requires clients with support for DNS SRV but if your machines are using > SSSD then you do not need to change anything and it should just work. > > That is why I'm asking for the use case :-) > > Petr^2 Spacek > >> 2015-03-31 14:21 GMT+02:00 Petr Spacek : >>> On 31.3.2015 14:02, Matt . wrote: HI Phasant, Check my mailings about it, it's not easy at least the kerberos part not, SRV records are used for that normally. Are you talking about the webgui or the ldap part ? >>> >>> I would recommend you to step back and describe use-case you have in mind. >>> It >>> is important for us to understand to your use-case to propose optimal >>> solution. >>> >>> Petr^2 Spacek >>> Cheers, Matt 2015-03-31 13:56 GMT+02:00 Prashant Bapat : > Hi, > > I'm trying to get 2 FreeIPA servers in a replicated mode behind a load > balancer, specifically Amazon ELB. > > I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks > like > there is more to it than just this file. > > Any suggestions ? > > Thanks. > --Prashant -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
On 31.3.2015 14:35, Matt . wrote: > Hi Petr, > > As this is not my topic it's for me quite "simple". > > I need to post to /ipa/json through a loadbalancer, nothing more. > > i have > > ldap-01.domain.tld (ipa1) > ldap-01.domain.tld (ipa2) > > and my loadbalancer is ldap.domain.tld > > ldap requests over a loadbalancer are quite simple and working, but > the json part is more difficult because of the ticket and the dns > name. I have added a san ldap.domain.tld to the webgui and there is a > http/ldap.domain.tld service on the ipa server. > > I get a nonvalid kerberos ticket when I go through ldap.domain.tld to > ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld > after it failed my ticket is OK for ldap-01.domain.tld and works. > > Is this enough information for you ? Well, I still do not understand the use case. What are your clients? Are you using 'ipa' command to do something? Or some other clients? Usually the best thing is to use DNS SRV records because it works even with geographically distributed clusters and does not have single point of failure (the load balancer). This requires clients with support for DNS SRV but if your machines are using SSSD then you do not need to change anything and it should just work. That is why I'm asking for the use case :-) Petr^2 Spacek > 2015-03-31 14:21 GMT+02:00 Petr Spacek : >> On 31.3.2015 14:02, Matt . wrote: >>> HI Phasant, >>> >>> Check my mailings about it, it's not easy at least the kerberos part >>> not, SRV records are used for that normally. >>> >>> Are you talking about the webgui or the ldap part ? >> >> I would recommend you to step back and describe use-case you have in mind. It >> is important for us to understand to your use-case to propose optimal >> solution. >> >> Petr^2 Spacek >> >>> Cheers, >>> >>> Matt >>> >>> 2015-03-31 13:56 GMT+02:00 Prashant Bapat : Hi, I'm trying to get 2 FreeIPA servers in a replicated mode behind a load balancer, specifically Amazon ELB. I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks like there is more to it than just this file. Any suggestions ? Thanks. --Prashant -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
Hi Petr, As this is not my topic it's for me quite "simple". I need to post to /ipa/json through a loadbalancer, nothing more. i have ldap-01.domain.tld (ipa1) ldap-01.domain.tld (ipa2) and my loadbalancer is ldap.domain.tld ldap requests over a loadbalancer are quite simple and working, but the json part is more difficult because of the ticket and the dns name. I have added a san ldap.domain.tld to the webgui and there is a http/ldap.domain.tld service on the ipa server. I get a nonvalid kerberos ticket when I go through ldap.domain.tld to ldap-01.domain.tld, but when I change my script to ldap-01.domain.tld after it failed my ticket is OK for ldap-01.domain.tld and works. Is this enough information for you ? Cheers, Matt 2015-03-31 14:21 GMT+02:00 Petr Spacek : > On 31.3.2015 14:02, Matt . wrote: >> HI Phasant, >> >> Check my mailings about it, it's not easy at least the kerberos part >> not, SRV records are used for that normally. >> >> Are you talking about the webgui or the ldap part ? > > I would recommend you to step back and describe use-case you have in mind. It > is important for us to understand to your use-case to propose optimal > solution. > > Petr^2 Spacek > >> Cheers, >> >> Matt >> >> 2015-03-31 13:56 GMT+02:00 Prashant Bapat : >>> Hi, >>> >>> I'm trying to get 2 FreeIPA servers in a replicated mode behind a load >>> balancer, specifically Amazon ELB. >>> >>> I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks like >>> there is more to it than just this file. >>> >>> Any suggestions ? >>> >>> Thanks. >>> --Prashant > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
On 31.3.2015 14:02, Matt . wrote: > HI Phasant, > > Check my mailings about it, it's not easy at least the kerberos part > not, SRV records are used for that normally. > > Are you talking about the webgui or the ldap part ? I would recommend you to step back and describe use-case you have in mind. It is important for us to understand to your use-case to propose optimal solution. Petr^2 Spacek > Cheers, > > Matt > > 2015-03-31 13:56 GMT+02:00 Prashant Bapat : >> Hi, >> >> I'm trying to get 2 FreeIPA servers in a replicated mode behind a load >> balancer, specifically Amazon ELB. >> >> I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks like >> there is more to it than just this file. >> >> Any suggestions ? >> >> Thanks. >> --Prashant -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa behind a load balancer
HI Phasant, Check my mailings about it, it's not easy at least the kerberos part not, SRV records are used for that normally. Are you talking about the webgui or the ldap part ? Cheers, Matt 2015-03-31 13:56 GMT+02:00 Prashant Bapat : > Hi, > > I'm trying to get 2 FreeIPA servers in a replicated mode behind a load > balancer, specifically Amazon ELB. > > I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks like > there is more to it than just this file. > > Any suggestions ? > > Thanks. > --Prashant > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] freeipa behind a load balancer
Hi, I'm trying to get 2 FreeIPA servers in a replicated mode behind a load balancer, specifically Amazon ELB. I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks like there is more to it than just this file. Any suggestions ? Thanks. --Prashant -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
