Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-28 Thread Matt .
Rob,

I just saw your message on IRC from a couple of hours ago... timedifference ;)

Thanks,

Matt

2015-03-28 10:17 GMT+01:00 Matt . yamakasi@gmail.com:
 Rob,

 As I was responding a little bit late last night, the following come to mind.

 As you say I need to request my cert with two names, how do you mean ?
 I'm using curl at the moment so figuring that out.

 As the same issues happens in the GUI itself I think this might be a
 problem. When I access ldap-01 directly it complains @ the services
 tab on some servicehosts that are in there, and some not.

 I think this is not a simple PTR or A record fix, I'm curious how to do.

 Cheers,

 Matt

 2015-03-27 18:57 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 I'm almost there but what happens when I regenerate a certificate for
 the ldap server I get the following when I visit it through the
 loadbalancer:

 no alternative certificate subject name matches target host name
 'ldap-01.domain'

 I think this is strange as the certificate shows the ldap under the
 altnames for HTTP/ldap-01 but there is indeed no ldap-01 as altname
 but only on the certificate itself.

 It turns out that NSS implements cert checking very strictly following
 RFC 2818 while OpenSSL is a bit more lax about it.

 The RFC states that if there is a subjectAltName then only that is used
 to validate the hostname. And in fact, it discourages using the subject
 at all and ONLY relying on the subjectAltName, though it does recognize
 that it is current practice (and was that way in 2000 as well).

 So you need to request your new cert with TWO names: the host name and
 the alternate name. That should make the cert work anyway.

 rob




 2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 HI Rob,

 Yes something is wrong there I guess.

 In any case, it doesn't apply to what you're trying to do.

 But still, I actually need to add a SAN to the webserver cert, which
 is different I think than the services at least.

 So the question there is... how ?

 What webserver cert? Are you trying to load balance the IPA services via
 DNS?

 Not knowing what you want, I'm just answering what you are ASKING. That
 is not the same as giving a proper answer. I have the feeling you want
 to load balance IPA in general which isn't going to work without a ton
 of (ongoing) manual effort. Even Microsoft recommends against trying
 this in its AD environment: http://support.microsoft.com/en-us/kb/325608

 In any case, the instructions I've already provided still apply.

 If you want to replace the Apache webserver cert you'll just need to do
 a couple of things first which has the potential of completely breaking
 IPA, so you'll need to be careful.

 Before you do anything, backup *.db in /etc/httpd/alias.

 Stop tracking the Apache cert in certmonger:

 # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert

 Delete the existing cert:

 # certutil -D -d /etc/httpd/alias -n Server-Cert

 Like I said, destructive.

 Finally use certmonger to get a new cert that includes a SAN. The syntax
 is slightly different than before, mostly because I'm just guessing in
 the dark because you aren't including enough details into what you're
 trying.

 # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com
 -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt

 In this case the IPA server is ipa1.example.com and you're creating a
 SAN for ipa.example.com.

 Restart httpd.

 Note that this doesn't solve the Kerberos problem so cli access will
 still not work as expected. The UI _might_ work using forms-based
 authentication.

 I'd strongly urge you to think about the top of this e-mail before
 proceeding onto the bottom.

 rob


 Cheers,

 Matt

 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 When digging around I see this documentation:

 http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html

 I would except that server.example.com is not going to be accepted by
 IPA when you visit the webgui like that ?

 These are SRV records for the ldap service. Think of it as discovery for
 who provides ldap service in the domain. It isn't something used by a
 web browser.

 I'm no DNS expert (by far) but this example looks a little wonky. I'd
 think it should be example.com and not server.example.com. But in any
 case it is irrelevant to a browser.

 rob




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-28 Thread Matt .
Rob,

As I was responding a little bit late last night, the following come to mind.

As you say I need to request my cert with two names, how do you mean ?
I'm using curl at the moment so figuring that out.

As the same issues happens in the GUI itself I think this might be a
problem. When I access ldap-01 directly it complains @ the services
tab on some servicehosts that are in there, and some not.

I think this is not a simple PTR or A record fix, I'm curious how to do.

Cheers,

Matt

2015-03-27 18:57 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 I'm almost there but what happens when I regenerate a certificate for
 the ldap server I get the following when I visit it through the
 loadbalancer:

 no alternative certificate subject name matches target host name
 'ldap-01.domain'

 I think this is strange as the certificate shows the ldap under the
 altnames for HTTP/ldap-01 but there is indeed no ldap-01 as altname
 but only on the certificate itself.

 It turns out that NSS implements cert checking very strictly following
 RFC 2818 while OpenSSL is a bit more lax about it.

 The RFC states that if there is a subjectAltName then only that is used
 to validate the hostname. And in fact, it discourages using the subject
 at all and ONLY relying on the subjectAltName, though it does recognize
 that it is current practice (and was that way in 2000 as well).

 So you need to request your new cert with TWO names: the host name and
 the alternate name. That should make the cert work anyway.

 rob




 2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 HI Rob,

 Yes something is wrong there I guess.

 In any case, it doesn't apply to what you're trying to do.

 But still, I actually need to add a SAN to the webserver cert, which
 is different I think than the services at least.

 So the question there is... how ?

 What webserver cert? Are you trying to load balance the IPA services via
 DNS?

 Not knowing what you want, I'm just answering what you are ASKING. That
 is not the same as giving a proper answer. I have the feeling you want
 to load balance IPA in general which isn't going to work without a ton
 of (ongoing) manual effort. Even Microsoft recommends against trying
 this in its AD environment: http://support.microsoft.com/en-us/kb/325608

 In any case, the instructions I've already provided still apply.

 If you want to replace the Apache webserver cert you'll just need to do
 a couple of things first which has the potential of completely breaking
 IPA, so you'll need to be careful.

 Before you do anything, backup *.db in /etc/httpd/alias.

 Stop tracking the Apache cert in certmonger:

 # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert

 Delete the existing cert:

 # certutil -D -d /etc/httpd/alias -n Server-Cert

 Like I said, destructive.

 Finally use certmonger to get a new cert that includes a SAN. The syntax
 is slightly different than before, mostly because I'm just guessing in
 the dark because you aren't including enough details into what you're
 trying.

 # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com
 -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt

 In this case the IPA server is ipa1.example.com and you're creating a
 SAN for ipa.example.com.

 Restart httpd.

 Note that this doesn't solve the Kerberos problem so cli access will
 still not work as expected. The UI _might_ work using forms-based
 authentication.

 I'd strongly urge you to think about the top of this e-mail before
 proceeding onto the bottom.

 rob


 Cheers,

 Matt

 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 When digging around I see this documentation:

 http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html

 I would except that server.example.com is not going to be accepted by
 IPA when you visit the webgui like that ?

 These are SRV records for the ldap service. Think of it as discovery for
 who provides ldap service in the domain. It isn't something used by a
 web browser.

 I'm no DNS expert (by far) but this example looks a little wonky. I'd
 think it should be example.com and not server.example.com. But in any
 case it is irrelevant to a browser.

 rob




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-27 Thread Matt .
I'm almost there but what happens when I regenerate a certificate for
the ldap server I get the following when I visit it through the
loadbalancer:

no alternative certificate subject name matches target host name
'ldap-01.domain'

I think this is strange as the certificate shows the ldap under the
altnames for HTTP/ldap-01 but there is indeed no ldap-01 as altname
but only on the certificate itself.



2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 HI Rob,

 Yes something is wrong there I guess.

 In any case, it doesn't apply to what you're trying to do.

 But still, I actually need to add a SAN to the webserver cert, which
 is different I think than the services at least.

 So the question there is... how ?

 What webserver cert? Are you trying to load balance the IPA services via
 DNS?

 Not knowing what you want, I'm just answering what you are ASKING. That
 is not the same as giving a proper answer. I have the feeling you want
 to load balance IPA in general which isn't going to work without a ton
 of (ongoing) manual effort. Even Microsoft recommends against trying
 this in its AD environment: http://support.microsoft.com/en-us/kb/325608

 In any case, the instructions I've already provided still apply.

 If you want to replace the Apache webserver cert you'll just need to do
 a couple of things first which has the potential of completely breaking
 IPA, so you'll need to be careful.

 Before you do anything, backup *.db in /etc/httpd/alias.

 Stop tracking the Apache cert in certmonger:

 # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert

 Delete the existing cert:

 # certutil -D -d /etc/httpd/alias -n Server-Cert

 Like I said, destructive.

 Finally use certmonger to get a new cert that includes a SAN. The syntax
 is slightly different than before, mostly because I'm just guessing in
 the dark because you aren't including enough details into what you're
 trying.

 # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com
 -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt

 In this case the IPA server is ipa1.example.com and you're creating a
 SAN for ipa.example.com.

 Restart httpd.

 Note that this doesn't solve the Kerberos problem so cli access will
 still not work as expected. The UI _might_ work using forms-based
 authentication.

 I'd strongly urge you to think about the top of this e-mail before
 proceeding onto the bottom.

 rob


 Cheers,

 Matt

 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 When digging around I see this documentation:

 http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html

 I would except that server.example.com is not going to be accepted by
 IPA when you visit the webgui like that ?

 These are SRV records for the ldap service. Think of it as discovery for
 who provides ldap service in the domain. It isn't something used by a
 web browser.

 I'm no DNS expert (by far) but this example looks a little wonky. I'd
 think it should be example.com and not server.example.com. But in any
 case it is irrelevant to a browser.

 rob



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-27 Thread Rob Crittenden
Matt . wrote:
 I'm almost there but what happens when I regenerate a certificate for
 the ldap server I get the following when I visit it through the
 loadbalancer:
 
 no alternative certificate subject name matches target host name
 'ldap-01.domain'
 
 I think this is strange as the certificate shows the ldap under the
 altnames for HTTP/ldap-01 but there is indeed no ldap-01 as altname
 but only on the certificate itself.

It turns out that NSS implements cert checking very strictly following
RFC 2818 while OpenSSL is a bit more lax about it.

The RFC states that if there is a subjectAltName then only that is used
to validate the hostname. And in fact, it discourages using the subject
at all and ONLY relying on the subjectAltName, though it does recognize
that it is current practice (and was that way in 2000 as well).

So you need to request your new cert with TWO names: the host name and
the alternate name. That should make the cert work anyway.

rob

 
 
 
 2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 HI Rob,

 Yes something is wrong there I guess.

 In any case, it doesn't apply to what you're trying to do.

 But still, I actually need to add a SAN to the webserver cert, which
 is different I think than the services at least.

 So the question there is... how ?

 What webserver cert? Are you trying to load balance the IPA services via
 DNS?

 Not knowing what you want, I'm just answering what you are ASKING. That
 is not the same as giving a proper answer. I have the feeling you want
 to load balance IPA in general which isn't going to work without a ton
 of (ongoing) manual effort. Even Microsoft recommends against trying
 this in its AD environment: http://support.microsoft.com/en-us/kb/325608

 In any case, the instructions I've already provided still apply.

 If you want to replace the Apache webserver cert you'll just need to do
 a couple of things first which has the potential of completely breaking
 IPA, so you'll need to be careful.

 Before you do anything, backup *.db in /etc/httpd/alias.

 Stop tracking the Apache cert in certmonger:

 # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert

 Delete the existing cert:

 # certutil -D -d /etc/httpd/alias -n Server-Cert

 Like I said, destructive.

 Finally use certmonger to get a new cert that includes a SAN. The syntax
 is slightly different than before, mostly because I'm just guessing in
 the dark because you aren't including enough details into what you're
 trying.

 # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com
 -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt

 In this case the IPA server is ipa1.example.com and you're creating a
 SAN for ipa.example.com.

 Restart httpd.

 Note that this doesn't solve the Kerberos problem so cli access will
 still not work as expected. The UI _might_ work using forms-based
 authentication.

 I'd strongly urge you to think about the top of this e-mail before
 proceeding onto the bottom.

 rob


 Cheers,

 Matt

 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 When digging around I see this documentation:

 http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html

 I would except that server.example.com is not going to be accepted by
 IPA when you visit the webgui like that ?

 These are SRV records for the ldap service. Think of it as discovery for
 who provides ldap service in the domain. It isn't something used by a
 web browser.

 I'm no DNS expert (by far) but this example looks a little wonky. I'd
 think it should be example.com and not server.example.com. But in any
 case it is irrelevant to a browser.

 rob



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-27 Thread Matt .
Hi Rob,

Thanks for the explanation. I understand your solution, I just thought
that was the dirty way :)

Thanks for your effort!

Cheers,

Matt

2015-03-27 18:57 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 I'm almost there but what happens when I regenerate a certificate for
 the ldap server I get the following when I visit it through the
 loadbalancer:

 no alternative certificate subject name matches target host name
 'ldap-01.domain'

 I think this is strange as the certificate shows the ldap under the
 altnames for HTTP/ldap-01 but there is indeed no ldap-01 as altname
 but only on the certificate itself.

 It turns out that NSS implements cert checking very strictly following
 RFC 2818 while OpenSSL is a bit more lax about it.

 The RFC states that if there is a subjectAltName then only that is used
 to validate the hostname. And in fact, it discourages using the subject
 at all and ONLY relying on the subjectAltName, though it does recognize
 that it is current practice (and was that way in 2000 as well).

 So you need to request your new cert with TWO names: the host name and
 the alternate name. That should make the cert work anyway.

 rob




 2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 HI Rob,

 Yes something is wrong there I guess.

 In any case, it doesn't apply to what you're trying to do.

 But still, I actually need to add a SAN to the webserver cert, which
 is different I think than the services at least.

 So the question there is... how ?

 What webserver cert? Are you trying to load balance the IPA services via
 DNS?

 Not knowing what you want, I'm just answering what you are ASKING. That
 is not the same as giving a proper answer. I have the feeling you want
 to load balance IPA in general which isn't going to work without a ton
 of (ongoing) manual effort. Even Microsoft recommends against trying
 this in its AD environment: http://support.microsoft.com/en-us/kb/325608

 In any case, the instructions I've already provided still apply.

 If you want to replace the Apache webserver cert you'll just need to do
 a couple of things first which has the potential of completely breaking
 IPA, so you'll need to be careful.

 Before you do anything, backup *.db in /etc/httpd/alias.

 Stop tracking the Apache cert in certmonger:

 # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert

 Delete the existing cert:

 # certutil -D -d /etc/httpd/alias -n Server-Cert

 Like I said, destructive.

 Finally use certmonger to get a new cert that includes a SAN. The syntax
 is slightly different than before, mostly because I'm just guessing in
 the dark because you aren't including enough details into what you're
 trying.

 # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com
 -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt

 In this case the IPA server is ipa1.example.com and you're creating a
 SAN for ipa.example.com.

 Restart httpd.

 Note that this doesn't solve the Kerberos problem so cli access will
 still not work as expected. The UI _might_ work using forms-based
 authentication.

 I'd strongly urge you to think about the top of this e-mail before
 proceeding onto the bottom.

 rob


 Cheers,

 Matt

 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 When digging around I see this documentation:

 http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html

 I would except that server.example.com is not going to be accepted by
 IPA when you visit the webgui like that ?

 These are SRV records for the ldap service. Think of it as discovery for
 who provides ldap service in the domain. It isn't something used by a
 web browser.

 I'm no DNS expert (by far) but this example looks a little wonky. I'd
 think it should be example.com and not server.example.com. But in any
 case it is irrelevant to a browser.

 rob




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-26 Thread Matt .
When digging around I see this documentation:

http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html

I would except that server.example.com is not going to be accepted by
IPA when you visit the webgui like that ?

2015-03-26 1:57 GMT+01:00 Matt . yamakasi@gmail.com:
 OK, quite clear but I think that is not going to help me, if you ask
 me, I might be wrong here as this is what I get:

 # wget https://ldap.mydomain.tld/ipa/json
 --2015-03-26 01:22:51--  https://ldap.mydomain.tld/ipa/json
 Resolving ldap.mydomain.tld (ldap.mydomain.tld)... 10.100.0.250
 Connecting to ldap.mydomain.tld
 (ldap.mydomain.tld)|10.100.0.250|:443... connected.
 ERROR: cannot verify ldap.mydomain.tld's certificate, issued by
 '/O=MYDOMAIN.TLD/CN=Certificate Authority':
   Self-signed certificate encountered.
 ERROR: certificate common name 'ldap-01.mydomain.tld' doesn't
 match requested host name 'ldap.mydomain.tld'.
 To connect to ldap.mydomain.tld insecurely, use `--no-check-certificate'.

 (I used the gui that actually worked quite OK following the docs,
 tried your version also but got stuck as I did it on the IPA server,
 need to recheck that)

 I think this happens because I use the ca.crt from /etc/ipa/ca.crt and
 the one I generated in the same file. I need to have them both in my
 curl certificate.

 I might be wrong here, but this is where I'm at.

 Thanks again for your patience.

 Matt



 2015-03-20 15:39 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 The right way to sequest a SAN, this seems to need some extra config file ?

 Like I said before, use certmonger, it makes life easier.

 I'll create a new host balancer.example.com with a HTTP service. I'll
 generate a cert with a SAN for idp.example.com in that service. I'm
 generating the cert on idp.example.com, hence the service-add-host bit.

 On 4.1 (freeipa-server-4.1.3-2.fc22.x86_64)

 # kinit admin
 # ipa host-add balancer.example.com
 # ipa service-add HTTP/balancer.example.com --force
 # ipa service-add-host --hosts=idp.example.com HTTP/balancer.example.com
 # ipa-getcert request -f /etc/pki/tls/certs/balancer.pem -k
 /etc/pki/tls/private/balancer.key -N CN=balancer.example.com -K
 HTTP/balancer.example.com -D idp.example.com
 # getcert list -i id until it goes to MONITORING
 # openssl x509 -text -in /etc/pki/tls/certs/balancer.pem
 Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number: 11 (0xb)
 Signature Algorithm: sha256WithRSAEncryption
 Issuer: O=EXAMPLE.COM, CN=Certificate Authority
 Validity
 Not Before: Mar 20 14:29:33 2015 GMT
 Not After : Mar 20 14:29:33 2017 GMT
 Subject: O=EXAMPLE.COM, CN=balancer.example.com
 [SNIP]
 X509v3 extensions:
 [SNIP]
 X509v3 Subject Alternative Name:
 DNS:idp.example.com, othername:unsupported,
 othername:unsupported
 [SNIP]

 SAN was definitely not supported in 3.0. Not sure about 3.3, should work
 in 4.0+.

 rob


 2015-03-19 15:04 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Isn't this documented well (yet) ?

 Is what documented yet?

 rob


 The RH docs are always very detailed about it, but I'm not sure
 here... I see solutions but not 100% from A to Z to make sure we do it
 the proper way.

 2015-03-12 16:59 GMT+01:00 Matt . yamakasi@gmail.com:
 Not worried, I need to try.

 I think it's not an issue as we use persistance for the connection. We
 only do some user adding/chaging stuff, nothing really fancy but it
 needs to be decent. As persistence comes in I think we don't have to
 worry about it, we discussed that here earlier as I remember.

 Or do I ?

 Something else; did you had a nice PTO ?

 2015-03-12 15:54 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Hi,

 Security wise I can understand that.

 Yes I have read about that... but that would let me use the
 loadbalancer to connect ? I was not sure if the SAN would connect as
 other host.

 Kerberos through a load balancer can be a problem. Is this what you're
 worried about?

 rob


 2015-03-12 15:07 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Hi Guys,

 Is Rob able to look at this ? I hope he has some sparetime as I'm
 kinda stuck with this issue.

 Wildcard certs are not supported.

 You can request a SAN with certmonger using -D FQDN. That will work
 with IPA 4.x for sure, maybe 3.3.5.

 rob


 Thanks!



 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com:
 I'm reviewing some things.

 When I'm using a loadbalancer, which I prefer in this setup I need 
 to
 have the same certificates on both servers. Maybe a wildcard for my
 domain could do instead of having only both fqdn's of the servers
 including the loadbalancer's fqdn.

 But the question remains, how?



 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com:
 Hi,

 I will balance with IP persistance so I think there won't be any
 mixing as long as that used server is online.

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-26 Thread Rob Crittenden
Matt . wrote:
 When digging around I see this documentation:
 
 http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html
 
 I would except that server.example.com is not going to be accepted by
 IPA when you visit the webgui like that ?

These are SRV records for the ldap service. Think of it as discovery for
who provides ldap service in the domain. It isn't something used by a
web browser.

I'm no DNS expert (by far) but this example looks a little wonky. I'd
think it should be example.com and not server.example.com. But in any
case it is irrelevant to a browser.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-26 Thread Matt .
HI Rob,

Yes something is wrong there I guess.

But still, I actually need to add a SAN to the webserver cert, which
is different I think than the services at least.

So the question there is... how ?

Cheers,

Matt

2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 When digging around I see this documentation:

 http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html

 I would except that server.example.com is not going to be accepted by
 IPA when you visit the webgui like that ?

 These are SRV records for the ldap service. Think of it as discovery for
 who provides ldap service in the domain. It isn't something used by a
 web browser.

 I'm no DNS expert (by far) but this example looks a little wonky. I'd
 think it should be example.com and not server.example.com. But in any
 case it is irrelevant to a browser.

 rob


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-26 Thread Matt .
Hi Rob,

Thank you very much!

I think this will work out as it's only https traffic.

I will report back!

Thanks a lot!

Matt

2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 HI Rob,

 Yes something is wrong there I guess.

 In any case, it doesn't apply to what you're trying to do.

 But still, I actually need to add a SAN to the webserver cert, which
 is different I think than the services at least.

 So the question there is... how ?

 What webserver cert? Are you trying to load balance the IPA services via
 DNS?

 Not knowing what you want, I'm just answering what you are ASKING. That
 is not the same as giving a proper answer. I have the feeling you want
 to load balance IPA in general which isn't going to work without a ton
 of (ongoing) manual effort. Even Microsoft recommends against trying
 this in its AD environment: http://support.microsoft.com/en-us/kb/325608

 In any case, the instructions I've already provided still apply.

 If you want to replace the Apache webserver cert you'll just need to do
 a couple of things first which has the potential of completely breaking
 IPA, so you'll need to be careful.

 Before you do anything, backup *.db in /etc/httpd/alias.

 Stop tracking the Apache cert in certmonger:

 # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert

 Delete the existing cert:

 # certutil -D -d /etc/httpd/alias -n Server-Cert

 Like I said, destructive.

 Finally use certmonger to get a new cert that includes a SAN. The syntax
 is slightly different than before, mostly because I'm just guessing in
 the dark because you aren't including enough details into what you're
 trying.

 # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com
 -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt

 In this case the IPA server is ipa1.example.com and you're creating a
 SAN for ipa.example.com.

 Restart httpd.

 Note that this doesn't solve the Kerberos problem so cli access will
 still not work as expected. The UI _might_ work using forms-based
 authentication.

 I'd strongly urge you to think about the top of this e-mail before
 proceeding onto the bottom.

 rob


 Cheers,

 Matt

 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 When digging around I see this documentation:

 http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html

 I would except that server.example.com is not going to be accepted by
 IPA when you visit the webgui like that ?

 These are SRV records for the ldap service. Think of it as discovery for
 who provides ldap service in the domain. It isn't something used by a
 web browser.

 I'm no DNS expert (by far) but this example looks a little wonky. I'd
 think it should be example.com and not server.example.com. But in any
 case it is irrelevant to a browser.

 rob



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-26 Thread Matt .
Hi,

This should be it and worked for generating the cert with the altname
ldap.domain.tld

When I login and I go to services I get the following:

cannot connect to
'https://ldap-01.domain.tld:443/ca/agent/ca/displayBySerial':
(SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely with peer:
requested domain name does not match the server's certificate.

So I'm a little bit confused here as the certificate contains both hostnames.

A simple wget says the ldap-01 doesn't exist also:

 https://ldap-01.domain.tld/ipa/json
Connecting to ldap-01.domain.tld
(ldap-01.domain.tld)|10.100.0.251|:443... connected.
ERROR: no certificate subject alternative name matches
requested host name 'ldap-01.domain.tld'.
To connect to ldap-01.domain.tld insecurely, use `--no-check-certificate'.



2015-03-26 20:43 GMT+01:00 Matt . yamakasi@gmail.com:
 Hi Rob,

 Thank you very much!

 I think this will work out as it's only https traffic.

 I will report back!

 Thanks a lot!

 Matt

 2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 HI Rob,

 Yes something is wrong there I guess.

 In any case, it doesn't apply to what you're trying to do.

 But still, I actually need to add a SAN to the webserver cert, which
 is different I think than the services at least.

 So the question there is... how ?

 What webserver cert? Are you trying to load balance the IPA services via
 DNS?

 Not knowing what you want, I'm just answering what you are ASKING. That
 is not the same as giving a proper answer. I have the feeling you want
 to load balance IPA in general which isn't going to work without a ton
 of (ongoing) manual effort. Even Microsoft recommends against trying
 this in its AD environment: http://support.microsoft.com/en-us/kb/325608

 In any case, the instructions I've already provided still apply.

 If you want to replace the Apache webserver cert you'll just need to do
 a couple of things first which has the potential of completely breaking
 IPA, so you'll need to be careful.

 Before you do anything, backup *.db in /etc/httpd/alias.

 Stop tracking the Apache cert in certmonger:

 # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert

 Delete the existing cert:

 # certutil -D -d /etc/httpd/alias -n Server-Cert

 Like I said, destructive.

 Finally use certmonger to get a new cert that includes a SAN. The syntax
 is slightly different than before, mostly because I'm just guessing in
 the dark because you aren't including enough details into what you're
 trying.

 # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com
 -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt

 In this case the IPA server is ipa1.example.com and you're creating a
 SAN for ipa.example.com.

 Restart httpd.

 Note that this doesn't solve the Kerberos problem so cli access will
 still not work as expected. The UI _might_ work using forms-based
 authentication.

 I'd strongly urge you to think about the top of this e-mail before
 proceeding onto the bottom.

 rob


 Cheers,

 Matt

 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 When digging around I see this documentation:

 http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html

 I would except that server.example.com is not going to be accepted by
 IPA when you visit the webgui like that ?

 These are SRV records for the ldap service. Think of it as discovery for
 who provides ldap service in the domain. It isn't something used by a
 web browser.

 I'm no DNS expert (by far) but this example looks a little wonky. I'd
 think it should be example.com and not server.example.com. But in any
 case it is irrelevant to a browser.

 rob



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-26 Thread Matt .
OK some new update:

When I do a curl -k https://ldap.domain.tld/ipa/config/ca.crt I get a
301 to https://ldap-01.core.prod.msp.cullie.local/ipa/config/ca.crt

But when I visit the https://ldap.domain.tld/ipa/config/ca.crt with my
browser it just works fine.

2015-03-26 22:11 GMT+01:00 Matt . yamakasi@gmail.com:
 Hi,

 This should be it and worked for generating the cert with the altname
 ldap.domain.tld

 When I login and I go to services I get the following:

 cannot connect to
 'https://ldap-01.domain.tld:443/ca/agent/ca/displayBySerial':
 (SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely with peer:
 requested domain name does not match the server's certificate.

 So I'm a little bit confused here as the certificate contains both hostnames.

 A simple wget says the ldap-01 doesn't exist also:

  https://ldap-01.domain.tld/ipa/json
 Connecting to ldap-01.domain.tld
 (ldap-01.domain.tld)|10.100.0.251|:443... connected.
 ERROR: no certificate subject alternative name matches
 requested host name 'ldap-01.domain.tld'.
 To connect to ldap-01.domain.tld insecurely, use `--no-check-certificate'.



 2015-03-26 20:43 GMT+01:00 Matt . yamakasi@gmail.com:
 Hi Rob,

 Thank you very much!

 I think this will work out as it's only https traffic.

 I will report back!

 Thanks a lot!

 Matt

 2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 HI Rob,

 Yes something is wrong there I guess.

 In any case, it doesn't apply to what you're trying to do.

 But still, I actually need to add a SAN to the webserver cert, which
 is different I think than the services at least.

 So the question there is... how ?

 What webserver cert? Are you trying to load balance the IPA services via
 DNS?

 Not knowing what you want, I'm just answering what you are ASKING. That
 is not the same as giving a proper answer. I have the feeling you want
 to load balance IPA in general which isn't going to work without a ton
 of (ongoing) manual effort. Even Microsoft recommends against trying
 this in its AD environment: http://support.microsoft.com/en-us/kb/325608

 In any case, the instructions I've already provided still apply.

 If you want to replace the Apache webserver cert you'll just need to do
 a couple of things first which has the potential of completely breaking
 IPA, so you'll need to be careful.

 Before you do anything, backup *.db in /etc/httpd/alias.

 Stop tracking the Apache cert in certmonger:

 # ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert

 Delete the existing cert:

 # certutil -D -d /etc/httpd/alias -n Server-Cert

 Like I said, destructive.

 Finally use certmonger to get a new cert that includes a SAN. The syntax
 is slightly different than before, mostly because I'm just guessing in
 the dark because you aren't including enough details into what you're
 trying.

 # ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com
 -K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt

 In this case the IPA server is ipa1.example.com and you're creating a
 SAN for ipa.example.com.

 Restart httpd.

 Note that this doesn't solve the Kerberos problem so cli access will
 still not work as expected. The UI _might_ work using forms-based
 authentication.

 I'd strongly urge you to think about the top of this e-mail before
 proceeding onto the bottom.

 rob


 Cheers,

 Matt

 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 When digging around I see this documentation:

 http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html

 I would except that server.example.com is not going to be accepted by
 IPA when you visit the webgui like that ?

 These are SRV records for the ldap service. Think of it as discovery for
 who provides ldap service in the domain. It isn't something used by a
 web browser.

 I'm no DNS expert (by far) but this example looks a little wonky. I'd
 think it should be example.com and not server.example.com. But in any
 case it is irrelevant to a browser.

 rob



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-26 Thread Rob Crittenden
Matt . wrote:
 HI Rob,
 
 Yes something is wrong there I guess.

In any case, it doesn't apply to what you're trying to do.

 But still, I actually need to add a SAN to the webserver cert, which
 is different I think than the services at least.
 
 So the question there is... how ?

What webserver cert? Are you trying to load balance the IPA services via
DNS?

Not knowing what you want, I'm just answering what you are ASKING. That
is not the same as giving a proper answer. I have the feeling you want
to load balance IPA in general which isn't going to work without a ton
of (ongoing) manual effort. Even Microsoft recommends against trying
this in its AD environment: http://support.microsoft.com/en-us/kb/325608

In any case, the instructions I've already provided still apply.

If you want to replace the Apache webserver cert you'll just need to do
a couple of things first which has the potential of completely breaking
IPA, so you'll need to be careful.

Before you do anything, backup *.db in /etc/httpd/alias.

Stop tracking the Apache cert in certmonger:

# ipa-getcert stop-tracking -d /etc/httpd/alias -n Server-Cert

Delete the existing cert:

# certutil -D -d /etc/httpd/alias -n Server-Cert

Like I said, destructive.

Finally use certmonger to get a new cert that includes a SAN. The syntax
is slightly different than before, mostly because I'm just guessing in
the dark because you aren't including enough details into what you're
trying.

# ipa-getcert -d /etc/httpd/alias -n Server-Cert -N CN=ipa1.example.com
-K HTTP/ipa1.example.com -D ipa.example.com -p /etc/httpd/alias/pwdfile.txt

In this case the IPA server is ipa1.example.com and you're creating a
SAN for ipa.example.com.

Restart httpd.

Note that this doesn't solve the Kerberos problem so cli access will
still not work as expected. The UI _might_ work using forms-based
authentication.

I'd strongly urge you to think about the top of this e-mail before
proceeding onto the bottom.

rob

 
 Cheers,
 
 Matt
 
 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 When digging around I see this documentation:

 http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html

 I would except that server.example.com is not going to be accepted by
 IPA when you visit the webgui like that ?

 These are SRV records for the ldap service. Think of it as discovery for
 who provides ldap service in the domain. It isn't something used by a
 web browser.

 I'm no DNS expert (by far) but this example looks a little wonky. I'd
 think it should be example.com and not server.example.com. But in any
 case it is irrelevant to a browser.

 rob


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-25 Thread Matt .
OK, quite clear but I think that is not going to help me, if you ask
me, I might be wrong here as this is what I get:

# wget https://ldap.mydomain.tld/ipa/json
--2015-03-26 01:22:51--  https://ldap.mydomain.tld/ipa/json
Resolving ldap.mydomain.tld (ldap.mydomain.tld)... 10.100.0.250
Connecting to ldap.mydomain.tld
(ldap.mydomain.tld)|10.100.0.250|:443... connected.
ERROR: cannot verify ldap.mydomain.tld's certificate, issued by
'/O=MYDOMAIN.TLD/CN=Certificate Authority':
  Self-signed certificate encountered.
ERROR: certificate common name 'ldap-01.mydomain.tld' doesn't
match requested host name 'ldap.mydomain.tld'.
To connect to ldap.mydomain.tld insecurely, use `--no-check-certificate'.

(I used the gui that actually worked quite OK following the docs,
tried your version also but got stuck as I did it on the IPA server,
need to recheck that)

I think this happens because I use the ca.crt from /etc/ipa/ca.crt and
the one I generated in the same file. I need to have them both in my
curl certificate.

I might be wrong here, but this is where I'm at.

Thanks again for your patience.

Matt



2015-03-20 15:39 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 The right way to sequest a SAN, this seems to need some extra config file ?

 Like I said before, use certmonger, it makes life easier.

 I'll create a new host balancer.example.com with a HTTP service. I'll
 generate a cert with a SAN for idp.example.com in that service. I'm
 generating the cert on idp.example.com, hence the service-add-host bit.

 On 4.1 (freeipa-server-4.1.3-2.fc22.x86_64)

 # kinit admin
 # ipa host-add balancer.example.com
 # ipa service-add HTTP/balancer.example.com --force
 # ipa service-add-host --hosts=idp.example.com HTTP/balancer.example.com
 # ipa-getcert request -f /etc/pki/tls/certs/balancer.pem -k
 /etc/pki/tls/private/balancer.key -N CN=balancer.example.com -K
 HTTP/balancer.example.com -D idp.example.com
 # getcert list -i id until it goes to MONITORING
 # openssl x509 -text -in /etc/pki/tls/certs/balancer.pem
 Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number: 11 (0xb)
 Signature Algorithm: sha256WithRSAEncryption
 Issuer: O=EXAMPLE.COM, CN=Certificate Authority
 Validity
 Not Before: Mar 20 14:29:33 2015 GMT
 Not After : Mar 20 14:29:33 2017 GMT
 Subject: O=EXAMPLE.COM, CN=balancer.example.com
 [SNIP]
 X509v3 extensions:
 [SNIP]
 X509v3 Subject Alternative Name:
 DNS:idp.example.com, othername:unsupported,
 othername:unsupported
 [SNIP]

 SAN was definitely not supported in 3.0. Not sure about 3.3, should work
 in 4.0+.

 rob


 2015-03-19 15:04 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Isn't this documented well (yet) ?

 Is what documented yet?

 rob


 The RH docs are always very detailed about it, but I'm not sure
 here... I see solutions but not 100% from A to Z to make sure we do it
 the proper way.

 2015-03-12 16:59 GMT+01:00 Matt . yamakasi@gmail.com:
 Not worried, I need to try.

 I think it's not an issue as we use persistance for the connection. We
 only do some user adding/chaging stuff, nothing really fancy but it
 needs to be decent. As persistence comes in I think we don't have to
 worry about it, we discussed that here earlier as I remember.

 Or do I ?

 Something else; did you had a nice PTO ?

 2015-03-12 15:54 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Hi,

 Security wise I can understand that.

 Yes I have read about that... but that would let me use the
 loadbalancer to connect ? I was not sure if the SAN would connect as
 other host.

 Kerberos through a load balancer can be a problem. Is this what you're
 worried about?

 rob


 2015-03-12 15:07 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Hi Guys,

 Is Rob able to look at this ? I hope he has some sparetime as I'm
 kinda stuck with this issue.

 Wildcard certs are not supported.

 You can request a SAN with certmonger using -D FQDN. That will work
 with IPA 4.x for sure, maybe 3.3.5.

 rob


 Thanks!



 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com:
 I'm reviewing some things.

 When I'm using a loadbalancer, which I prefer in this setup I need to
 have the same certificates on both servers. Maybe a wildcard for my
 domain could do instead of having only both fqdn's of the servers
 including the loadbalancer's fqdn.

 But the question remains, how?



 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com:
 Hi,

 I will balance with IP persistance so I think there won't be any
 mixing as long as that used server is online.

 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com:
 On 03/06/2015 11:05 AM, Matt . wrote:

 OK, understood.

 But when a webservice does execute a command (from scripting) to 
 a SVR
 record and the first is not reacable, would it try to do it again 
 or
 will handle DNS this in front of it ?

 I do a kinit against an 

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-20 Thread Rob Crittenden
Matt . wrote:
 The right way to sequest a SAN, this seems to need some extra config file ?

Like I said before, use certmonger, it makes life easier.

I'll create a new host balancer.example.com with a HTTP service. I'll
generate a cert with a SAN for idp.example.com in that service. I'm
generating the cert on idp.example.com, hence the service-add-host bit.

On 4.1 (freeipa-server-4.1.3-2.fc22.x86_64)

# kinit admin
# ipa host-add balancer.example.com
# ipa service-add HTTP/balancer.example.com --force
# ipa service-add-host --hosts=idp.example.com HTTP/balancer.example.com
# ipa-getcert request -f /etc/pki/tls/certs/balancer.pem -k
/etc/pki/tls/private/balancer.key -N CN=balancer.example.com -K
HTTP/balancer.example.com -D idp.example.com
# getcert list -i id until it goes to MONITORING
# openssl x509 -text -in /etc/pki/tls/certs/balancer.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 11 (0xb)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=EXAMPLE.COM, CN=Certificate Authority
Validity
Not Before: Mar 20 14:29:33 2015 GMT
Not After : Mar 20 14:29:33 2017 GMT
Subject: O=EXAMPLE.COM, CN=balancer.example.com
[SNIP]
X509v3 extensions:
[SNIP]
X509v3 Subject Alternative Name:
DNS:idp.example.com, othername:unsupported,
othername:unsupported
[SNIP]

SAN was definitely not supported in 3.0. Not sure about 3.3, should work
in 4.0+.

rob

 
 2015-03-19 15:04 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Isn't this documented well (yet) ?

 Is what documented yet?

 rob


 The RH docs are always very detailed about it, but I'm not sure
 here... I see solutions but not 100% from A to Z to make sure we do it
 the proper way.

 2015-03-12 16:59 GMT+01:00 Matt . yamakasi@gmail.com:
 Not worried, I need to try.

 I think it's not an issue as we use persistance for the connection. We
 only do some user adding/chaging stuff, nothing really fancy but it
 needs to be decent. As persistence comes in I think we don't have to
 worry about it, we discussed that here earlier as I remember.

 Or do I ?

 Something else; did you had a nice PTO ?

 2015-03-12 15:54 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Hi,

 Security wise I can understand that.

 Yes I have read about that... but that would let me use the
 loadbalancer to connect ? I was not sure if the SAN would connect as
 other host.

 Kerberos through a load balancer can be a problem. Is this what you're
 worried about?

 rob


 2015-03-12 15:07 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Hi Guys,

 Is Rob able to look at this ? I hope he has some sparetime as I'm
 kinda stuck with this issue.

 Wildcard certs are not supported.

 You can request a SAN with certmonger using -D FQDN. That will work
 with IPA 4.x for sure, maybe 3.3.5.

 rob


 Thanks!



 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com:
 I'm reviewing some things.

 When I'm using a loadbalancer, which I prefer in this setup I need to
 have the same certificates on both servers. Maybe a wildcard for my
 domain could do instead of having only both fqdn's of the servers
 including the loadbalancer's fqdn.

 But the question remains, how?



 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com:
 Hi,

 I will balance with IP persistance so I think there won't be any
 mixing as long as that used server is online.

 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com:
 On 03/06/2015 11:05 AM, Matt . wrote:

 OK, understood.

 But when a webservice does execute a command (from scripting) to a 
 SVR
 record and the first is not reacable, would it try to do it again 
 or
 will handle DNS this in front of it ?

 I do a kinit against an IPA server using a keytab after I first
 checked if the user was able to auth himself using his ldap
 credentials, if so, this kinit exec is fired and I do some CURL 
 stuff
 to the IPA server.

 That's why I wanted a loadbalancer, the loadbalancer sees if a 
 server
 is down and doesn't even try to direct any of the commands to it...
 I'm not sure if the SRV will handle this well when doing these 
 command
 from PHP for an example. Building in extra checks in front could be
 done but it not ideal as a loadbalancer can handle such things much
 better.


 OK, this makes things much more clear. Thanks for the explanation.
 Rob. What is our failover logic for API?

 For CLI we use a negotiation and then we store a cookie so as long 
 as the
 whole conversation goes to the same server you should be fine. I do 
 not
 think you need to re-encrypt the traffic at load balancer and thus 
 have a
 cert there then if you can enforce the use of the same server in 
 this case.

 The issue I anticipate is with Kerberos. I think you should not 
 load balance
 the Kerberos traffic, only the API commands starting with the 
 negotiation.

 Rob does that make sense for you?



 Thanks!

 Cheers,

 Matt

 

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-19 Thread Matt .
Isn't this documented well (yet) ?

The RH docs are always very detailed about it, but I'm not sure
here... I see solutions but not 100% from A to Z to make sure we do it
the proper way.

2015-03-12 16:59 GMT+01:00 Matt . yamakasi@gmail.com:
 Not worried, I need to try.

 I think it's not an issue as we use persistance for the connection. We
 only do some user adding/chaging stuff, nothing really fancy but it
 needs to be decent. As persistence comes in I think we don't have to
 worry about it, we discussed that here earlier as I remember.

 Or do I ?

 Something else; did you had a nice PTO ?

 2015-03-12 15:54 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Hi,

 Security wise I can understand that.

 Yes I have read about that... but that would let me use the
 loadbalancer to connect ? I was not sure if the SAN would connect as
 other host.

 Kerberos through a load balancer can be a problem. Is this what you're
 worried about?

 rob


 2015-03-12 15:07 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Hi Guys,

 Is Rob able to look at this ? I hope he has some sparetime as I'm
 kinda stuck with this issue.

 Wildcard certs are not supported.

 You can request a SAN with certmonger using -D FQDN. That will work
 with IPA 4.x for sure, maybe 3.3.5.

 rob


 Thanks!



 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com:
 I'm reviewing some things.

 When I'm using a loadbalancer, which I prefer in this setup I need to
 have the same certificates on both servers. Maybe a wildcard for my
 domain could do instead of having only both fqdn's of the servers
 including the loadbalancer's fqdn.

 But the question remains, how?



 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com:
 Hi,

 I will balance with IP persistance so I think there won't be any
 mixing as long as that used server is online.

 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com:
 On 03/06/2015 11:05 AM, Matt . wrote:

 OK, understood.

 But when a webservice does execute a command (from scripting) to a SVR
 record and the first is not reacable, would it try to do it again or
 will handle DNS this in front of it ?

 I do a kinit against an IPA server using a keytab after I first
 checked if the user was able to auth himself using his ldap
 credentials, if so, this kinit exec is fired and I do some CURL stuff
 to the IPA server.

 That's why I wanted a loadbalancer, the loadbalancer sees if a server
 is down and doesn't even try to direct any of the commands to it...
 I'm not sure if the SRV will handle this well when doing these command
 from PHP for an example. Building in extra checks in front could be
 done but it not ideal as a loadbalancer can handle such things much
 better.


 OK, this makes things much more clear. Thanks for the explanation.
 Rob. What is our failover logic for API?

 For CLI we use a negotiation and then we store a cookie so as long as 
 the
 whole conversation goes to the same server you should be fine. I do not
 think you need to re-encrypt the traffic at load balancer and thus 
 have a
 cert there then if you can enforce the use of the same server in this 
 case.

 The issue I anticipate is with Kerberos. I think you should not load 
 balance
 the Kerberos traffic, only the API commands starting with the 
 negotiation.

 Rob does that make sense for you?



 Thanks!

 Cheers,

 Matt

 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com:

 On 03/06/2015 10:24 AM, Matt . wrote:

 Hi,

 I'm really bound to a loadbalancer, as it's HA setup of 
 loadbalancers,
 SRV won't fit here sorry to say.

 I auth users, so their keytab should be the same between two 
 masters I
 believe ?


 Each entity in Kerberos exchange has its own identity and key.
 If you send a ticket that is destined to service A instead to 
 service B
 it
 would not work unless they share the same keys and identity. Sharinf 
 same
 keys and identities between the servers just would not work with IPA.
 Keep in mind that IPA clients and server need to work and fail over 
 if
 you
 do not have any load balancers and this is the common case. You are
 trying
 to add one where it is really not needed creating overhead for 
 yourself.



 In that case... I need to add the altnames to the certs, but I'm not
 100% there in step 6

 Thanks again!

 Cheers,

 Matthijs

 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 6.3.2015 15:39, Matt . wrote:

 I have 2 IPA servers where I kinit to and post to the api using
 curl/json.

 If we are talking purely about scripting, you can use IPA Python 
 API.
 It
 will
 handle fail over for you even without any load balancer. That 
 would be
 easiest
 way.

 As I need redundancy and don't want to have it script managed, 
 but one
 central point where I can tal to I use a loadbalancer.

 Well, if you can control clients then the easiest and most 
 universal
 way
 is to
 use DNS SRV records and add failover logic to clients. That 
 solution
 works
 even when servers 

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-19 Thread Matt .
The right way to sequest a SAN, this seems to need some extra config file ?

2015-03-19 15:04 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Isn't this documented well (yet) ?

 Is what documented yet?

 rob


 The RH docs are always very detailed about it, but I'm not sure
 here... I see solutions but not 100% from A to Z to make sure we do it
 the proper way.

 2015-03-12 16:59 GMT+01:00 Matt . yamakasi@gmail.com:
 Not worried, I need to try.

 I think it's not an issue as we use persistance for the connection. We
 only do some user adding/chaging stuff, nothing really fancy but it
 needs to be decent. As persistence comes in I think we don't have to
 worry about it, we discussed that here earlier as I remember.

 Or do I ?

 Something else; did you had a nice PTO ?

 2015-03-12 15:54 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Hi,

 Security wise I can understand that.

 Yes I have read about that... but that would let me use the
 loadbalancer to connect ? I was not sure if the SAN would connect as
 other host.

 Kerberos through a load balancer can be a problem. Is this what you're
 worried about?

 rob


 2015-03-12 15:07 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Hi Guys,

 Is Rob able to look at this ? I hope he has some sparetime as I'm
 kinda stuck with this issue.

 Wildcard certs are not supported.

 You can request a SAN with certmonger using -D FQDN. That will work
 with IPA 4.x for sure, maybe 3.3.5.

 rob


 Thanks!



 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com:
 I'm reviewing some things.

 When I'm using a loadbalancer, which I prefer in this setup I need to
 have the same certificates on both servers. Maybe a wildcard for my
 domain could do instead of having only both fqdn's of the servers
 including the loadbalancer's fqdn.

 But the question remains, how?



 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com:
 Hi,

 I will balance with IP persistance so I think there won't be any
 mixing as long as that used server is online.

 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com:
 On 03/06/2015 11:05 AM, Matt . wrote:

 OK, understood.

 But when a webservice does execute a command (from scripting) to a 
 SVR
 record and the first is not reacable, would it try to do it again or
 will handle DNS this in front of it ?

 I do a kinit against an IPA server using a keytab after I first
 checked if the user was able to auth himself using his ldap
 credentials, if so, this kinit exec is fired and I do some CURL 
 stuff
 to the IPA server.

 That's why I wanted a loadbalancer, the loadbalancer sees if a 
 server
 is down and doesn't even try to direct any of the commands to it...
 I'm not sure if the SRV will handle this well when doing these 
 command
 from PHP for an example. Building in extra checks in front could be
 done but it not ideal as a loadbalancer can handle such things much
 better.


 OK, this makes things much more clear. Thanks for the explanation.
 Rob. What is our failover logic for API?

 For CLI we use a negotiation and then we store a cookie so as long 
 as the
 whole conversation goes to the same server you should be fine. I do 
 not
 think you need to re-encrypt the traffic at load balancer and thus 
 have a
 cert there then if you can enforce the use of the same server in 
 this case.

 The issue I anticipate is with Kerberos. I think you should not load 
 balance
 the Kerberos traffic, only the API commands starting with the 
 negotiation.

 Rob does that make sense for you?



 Thanks!

 Cheers,

 Matt

 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com:

 On 03/06/2015 10:24 AM, Matt . wrote:

 Hi,

 I'm really bound to a loadbalancer, as it's HA setup of 
 loadbalancers,
 SRV won't fit here sorry to say.

 I auth users, so their keytab should be the same between two 
 masters I
 believe ?


 Each entity in Kerberos exchange has its own identity and key.
 If you send a ticket that is destined to service A instead to 
 service B
 it
 would not work unless they share the same keys and identity. 
 Sharinf same
 keys and identities between the servers just would not work with 
 IPA.
 Keep in mind that IPA clients and server need to work and fail 
 over if
 you
 do not have any load balancers and this is the common case. You are
 trying
 to add one where it is really not needed creating overhead for 
 yourself.



 In that case... I need to add the altnames to the certs, but I'm 
 not
 100% there in step 6

 Thanks again!

 Cheers,

 Matthijs

 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 6.3.2015 15:39, Matt . wrote:

 I have 2 IPA servers where I kinit to and post to the api using
 curl/json.

 If we are talking purely about scripting, you can use IPA Python 
 API.
 It
 will
 handle fail over for you even without any load balancer. That 
 would be
 easiest
 way.

 As I need redundancy and don't want to have it script managed, 
 but one
 central point where I can tal 

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-19 Thread Rob Crittenden
Matt . wrote:
 Isn't this documented well (yet) ?

Is what documented yet?

rob

 
 The RH docs are always very detailed about it, but I'm not sure
 here... I see solutions but not 100% from A to Z to make sure we do it
 the proper way.
 
 2015-03-12 16:59 GMT+01:00 Matt . yamakasi@gmail.com:
 Not worried, I need to try.

 I think it's not an issue as we use persistance for the connection. We
 only do some user adding/chaging stuff, nothing really fancy but it
 needs to be decent. As persistence comes in I think we don't have to
 worry about it, we discussed that here earlier as I remember.

 Or do I ?

 Something else; did you had a nice PTO ?

 2015-03-12 15:54 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Hi,

 Security wise I can understand that.

 Yes I have read about that... but that would let me use the
 loadbalancer to connect ? I was not sure if the SAN would connect as
 other host.

 Kerberos through a load balancer can be a problem. Is this what you're
 worried about?

 rob


 2015-03-12 15:07 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Hi Guys,

 Is Rob able to look at this ? I hope he has some sparetime as I'm
 kinda stuck with this issue.

 Wildcard certs are not supported.

 You can request a SAN with certmonger using -D FQDN. That will work
 with IPA 4.x for sure, maybe 3.3.5.

 rob


 Thanks!



 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com:
 I'm reviewing some things.

 When I'm using a loadbalancer, which I prefer in this setup I need to
 have the same certificates on both servers. Maybe a wildcard for my
 domain could do instead of having only both fqdn's of the servers
 including the loadbalancer's fqdn.

 But the question remains, how?



 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com:
 Hi,

 I will balance with IP persistance so I think there won't be any
 mixing as long as that used server is online.

 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com:
 On 03/06/2015 11:05 AM, Matt . wrote:

 OK, understood.

 But when a webservice does execute a command (from scripting) to a 
 SVR
 record and the first is not reacable, would it try to do it again or
 will handle DNS this in front of it ?

 I do a kinit against an IPA server using a keytab after I first
 checked if the user was able to auth himself using his ldap
 credentials, if so, this kinit exec is fired and I do some CURL stuff
 to the IPA server.

 That's why I wanted a loadbalancer, the loadbalancer sees if a server
 is down and doesn't even try to direct any of the commands to it...
 I'm not sure if the SRV will handle this well when doing these 
 command
 from PHP for an example. Building in extra checks in front could be
 done but it not ideal as a loadbalancer can handle such things much
 better.


 OK, this makes things much more clear. Thanks for the explanation.
 Rob. What is our failover logic for API?

 For CLI we use a negotiation and then we store a cookie so as long as 
 the
 whole conversation goes to the same server you should be fine. I do 
 not
 think you need to re-encrypt the traffic at load balancer and thus 
 have a
 cert there then if you can enforce the use of the same server in this 
 case.

 The issue I anticipate is with Kerberos. I think you should not load 
 balance
 the Kerberos traffic, only the API commands starting with the 
 negotiation.

 Rob does that make sense for you?



 Thanks!

 Cheers,

 Matt

 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com:

 On 03/06/2015 10:24 AM, Matt . wrote:

 Hi,

 I'm really bound to a loadbalancer, as it's HA setup of 
 loadbalancers,
 SRV won't fit here sorry to say.

 I auth users, so their keytab should be the same between two 
 masters I
 believe ?


 Each entity in Kerberos exchange has its own identity and key.
 If you send a ticket that is destined to service A instead to 
 service B
 it
 would not work unless they share the same keys and identity. 
 Sharinf same
 keys and identities between the servers just would not work with 
 IPA.
 Keep in mind that IPA clients and server need to work and fail over 
 if
 you
 do not have any load balancers and this is the common case. You are
 trying
 to add one where it is really not needed creating overhead for 
 yourself.



 In that case... I need to add the altnames to the certs, but I'm 
 not
 100% there in step 6

 Thanks again!

 Cheers,

 Matthijs

 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 6.3.2015 15:39, Matt . wrote:

 I have 2 IPA servers where I kinit to and post to the api using
 curl/json.

 If we are talking purely about scripting, you can use IPA Python 
 API.
 It
 will
 handle fail over for you even without any load balancer. That 
 would be
 easiest
 way.

 As I need redundancy and don't want to have it script managed, 
 but one
 central point where I can tal to I use a loadbalancer.

 Well, if you can control clients then the easiest and most 
 universal
 way
 is to
 use DNS SRV records and add 

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-12 Thread Matt .
Hi,

Security wise I can understand that.

Yes I have read about that... but that would let me use the
loadbalancer to connect ? I was not sure if the SAN would connect as
other host.

2015-03-12 15:07 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Hi Guys,

 Is Rob able to look at this ? I hope he has some sparetime as I'm
 kinda stuck with this issue.

 Wildcard certs are not supported.

 You can request a SAN with certmonger using -D FQDN. That will work
 with IPA 4.x for sure, maybe 3.3.5.

 rob


 Thanks!



 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com:
 I'm reviewing some things.

 When I'm using a loadbalancer, which I prefer in this setup I need to
 have the same certificates on both servers. Maybe a wildcard for my
 domain could do instead of having only both fqdn's of the servers
 including the loadbalancer's fqdn.

 But the question remains, how?



 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com:
 Hi,

 I will balance with IP persistance so I think there won't be any
 mixing as long as that used server is online.

 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com:
 On 03/06/2015 11:05 AM, Matt . wrote:

 OK, understood.

 But when a webservice does execute a command (from scripting) to a SVR
 record and the first is not reacable, would it try to do it again or
 will handle DNS this in front of it ?

 I do a kinit against an IPA server using a keytab after I first
 checked if the user was able to auth himself using his ldap
 credentials, if so, this kinit exec is fired and I do some CURL stuff
 to the IPA server.

 That's why I wanted a loadbalancer, the loadbalancer sees if a server
 is down and doesn't even try to direct any of the commands to it...
 I'm not sure if the SRV will handle this well when doing these command
 from PHP for an example. Building in extra checks in front could be
 done but it not ideal as a loadbalancer can handle such things much
 better.


 OK, this makes things much more clear. Thanks for the explanation.
 Rob. What is our failover logic for API?

 For CLI we use a negotiation and then we store a cookie so as long as the
 whole conversation goes to the same server you should be fine. I do not
 think you need to re-encrypt the traffic at load balancer and thus have a
 cert there then if you can enforce the use of the same server in this 
 case.

 The issue I anticipate is with Kerberos. I think you should not load 
 balance
 the Kerberos traffic, only the API commands starting with the negotiation.

 Rob does that make sense for you?



 Thanks!

 Cheers,

 Matt

 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com:

 On 03/06/2015 10:24 AM, Matt . wrote:

 Hi,

 I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
 SRV won't fit here sorry to say.

 I auth users, so their keytab should be the same between two masters I
 believe ?


 Each entity in Kerberos exchange has its own identity and key.
 If you send a ticket that is destined to service A instead to service B
 it
 would not work unless they share the same keys and identity. Sharinf 
 same
 keys and identities between the servers just would not work with IPA.
 Keep in mind that IPA clients and server need to work and fail over if
 you
 do not have any load balancers and this is the common case. You are
 trying
 to add one where it is really not needed creating overhead for yourself.



 In that case... I need to add the altnames to the certs, but I'm not
 100% there in step 6

 Thanks again!

 Cheers,

 Matthijs

 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 6.3.2015 15:39, Matt . wrote:

 I have 2 IPA servers where I kinit to and post to the api using
 curl/json.

 If we are talking purely about scripting, you can use IPA Python API.
 It
 will
 handle fail over for you even without any load balancer. That would be
 easiest
 way.

 As I need redundancy and don't want to have it script managed, but 
 one
 central point where I can tal to I use a loadbalancer.

 Well, if you can control clients then the easiest and most universal
 way
 is to
 use DNS SRV records and add failover logic to clients. That solution
 works
 even when servers are geographically distributed/in different networks
 and
 does not have single point of failure (the load balancer).

 As I connect to the loadbalancer using DNAT, so the client IP is 
 known
 on the IPA server because this is needed for the http service
 principals I need to add the loadbalancer hostname to my IPA server
 and make it as an ALT name to it's Certificate.

 As the users are the same on both servers I would asume i can use a
 keytab for a user against both servers from my clients.

 I'm talking about keytabs on the FreeIPA servers - services running on
 IPA
 server have their own keytabs too. Every service on every server has
 own
 keytab with different key.

 You need to talk with Simo or some other Kerberos guru about
 possibility
 of
 sharing keytabs between IPA services.

 Does 

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-12 Thread Rob Crittenden
Matt . wrote:
 Hi,
 
 Security wise I can understand that.
 
 Yes I have read about that... but that would let me use the
 loadbalancer to connect ? I was not sure if the SAN would connect as
 other host.

Kerberos through a load balancer can be a problem. Is this what you're
worried about?

rob

 
 2015-03-12 15:07 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
 Matt . wrote:
 Hi Guys,

 Is Rob able to look at this ? I hope he has some sparetime as I'm
 kinda stuck with this issue.

 Wildcard certs are not supported.

 You can request a SAN with certmonger using -D FQDN. That will work
 with IPA 4.x for sure, maybe 3.3.5.

 rob


 Thanks!



 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com:
 I'm reviewing some things.

 When I'm using a loadbalancer, which I prefer in this setup I need to
 have the same certificates on both servers. Maybe a wildcard for my
 domain could do instead of having only both fqdn's of the servers
 including the loadbalancer's fqdn.

 But the question remains, how?



 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com:
 Hi,

 I will balance with IP persistance so I think there won't be any
 mixing as long as that used server is online.

 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com:
 On 03/06/2015 11:05 AM, Matt . wrote:

 OK, understood.

 But when a webservice does execute a command (from scripting) to a SVR
 record and the first is not reacable, would it try to do it again or
 will handle DNS this in front of it ?

 I do a kinit against an IPA server using a keytab after I first
 checked if the user was able to auth himself using his ldap
 credentials, if so, this kinit exec is fired and I do some CURL stuff
 to the IPA server.

 That's why I wanted a loadbalancer, the loadbalancer sees if a server
 is down and doesn't even try to direct any of the commands to it...
 I'm not sure if the SRV will handle this well when doing these command
 from PHP for an example. Building in extra checks in front could be
 done but it not ideal as a loadbalancer can handle such things much
 better.


 OK, this makes things much more clear. Thanks for the explanation.
 Rob. What is our failover logic for API?

 For CLI we use a negotiation and then we store a cookie so as long as the
 whole conversation goes to the same server you should be fine. I do not
 think you need to re-encrypt the traffic at load balancer and thus have a
 cert there then if you can enforce the use of the same server in this 
 case.

 The issue I anticipate is with Kerberos. I think you should not load 
 balance
 the Kerberos traffic, only the API commands starting with the 
 negotiation.

 Rob does that make sense for you?



 Thanks!

 Cheers,

 Matt

 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com:

 On 03/06/2015 10:24 AM, Matt . wrote:

 Hi,

 I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
 SRV won't fit here sorry to say.

 I auth users, so their keytab should be the same between two masters I
 believe ?


 Each entity in Kerberos exchange has its own identity and key.
 If you send a ticket that is destined to service A instead to service B
 it
 would not work unless they share the same keys and identity. Sharinf 
 same
 keys and identities between the servers just would not work with IPA.
 Keep in mind that IPA clients and server need to work and fail over if
 you
 do not have any load balancers and this is the common case. You are
 trying
 to add one where it is really not needed creating overhead for 
 yourself.



 In that case... I need to add the altnames to the certs, but I'm not
 100% there in step 6

 Thanks again!

 Cheers,

 Matthijs

 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 6.3.2015 15:39, Matt . wrote:

 I have 2 IPA servers where I kinit to and post to the api using
 curl/json.

 If we are talking purely about scripting, you can use IPA Python API.
 It
 will
 handle fail over for you even without any load balancer. That would 
 be
 easiest
 way.

 As I need redundancy and don't want to have it script managed, but 
 one
 central point where I can tal to I use a loadbalancer.

 Well, if you can control clients then the easiest and most universal
 way
 is to
 use DNS SRV records and add failover logic to clients. That solution
 works
 even when servers are geographically distributed/in different 
 networks
 and
 does not have single point of failure (the load balancer).

 As I connect to the loadbalancer using DNAT, so the client IP is 
 known
 on the IPA server because this is needed for the http service
 principals I need to add the loadbalancer hostname to my IPA server
 and make it as an ALT name to it's Certificate.

 As the users are the same on both servers I would asume i can use a
 keytab for a user against both servers from my clients.

 I'm talking about keytabs on the FreeIPA servers - services running 
 on
 IPA
 server have their own keytabs too. Every service on every server has
 own
 keytab with different key.

 

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-12 Thread Rob Crittenden
Matt . wrote:
 Hi Guys,
 
 Is Rob able to look at this ? I hope he has some sparetime as I'm
 kinda stuck with this issue.

Wildcard certs are not supported.

You can request a SAN with certmonger using -D FQDN. That will work
with IPA 4.x for sure, maybe 3.3.5.

rob

 
 Thanks!
 
 
 
 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com:
 I'm reviewing some things.

 When I'm using a loadbalancer, which I prefer in this setup I need to
 have the same certificates on both servers. Maybe a wildcard for my
 domain could do instead of having only both fqdn's of the servers
 including the loadbalancer's fqdn.

 But the question remains, how?



 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com:
 Hi,

 I will balance with IP persistance so I think there won't be any
 mixing as long as that used server is online.

 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com:
 On 03/06/2015 11:05 AM, Matt . wrote:

 OK, understood.

 But when a webservice does execute a command (from scripting) to a SVR
 record and the first is not reacable, would it try to do it again or
 will handle DNS this in front of it ?

 I do a kinit against an IPA server using a keytab after I first
 checked if the user was able to auth himself using his ldap
 credentials, if so, this kinit exec is fired and I do some CURL stuff
 to the IPA server.

 That's why I wanted a loadbalancer, the loadbalancer sees if a server
 is down and doesn't even try to direct any of the commands to it...
 I'm not sure if the SRV will handle this well when doing these command
 from PHP for an example. Building in extra checks in front could be
 done but it not ideal as a loadbalancer can handle such things much
 better.


 OK, this makes things much more clear. Thanks for the explanation.
 Rob. What is our failover logic for API?

 For CLI we use a negotiation and then we store a cookie so as long as the
 whole conversation goes to the same server you should be fine. I do not
 think you need to re-encrypt the traffic at load balancer and thus have a
 cert there then if you can enforce the use of the same server in this case.

 The issue I anticipate is with Kerberos. I think you should not load 
 balance
 the Kerberos traffic, only the API commands starting with the negotiation.

 Rob does that make sense for you?



 Thanks!

 Cheers,

 Matt

 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com:

 On 03/06/2015 10:24 AM, Matt . wrote:

 Hi,

 I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
 SRV won't fit here sorry to say.

 I auth users, so their keytab should be the same between two masters I
 believe ?


 Each entity in Kerberos exchange has its own identity and key.
 If you send a ticket that is destined to service A instead to service B
 it
 would not work unless they share the same keys and identity. Sharinf same
 keys and identities between the servers just would not work with IPA.
 Keep in mind that IPA clients and server need to work and fail over if
 you
 do not have any load balancers and this is the common case. You are
 trying
 to add one where it is really not needed creating overhead for yourself.



 In that case... I need to add the altnames to the certs, but I'm not
 100% there in step 6

 Thanks again!

 Cheers,

 Matthijs

 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 6.3.2015 15:39, Matt . wrote:

 I have 2 IPA servers where I kinit to and post to the api using
 curl/json.

 If we are talking purely about scripting, you can use IPA Python API.
 It
 will
 handle fail over for you even without any load balancer. That would be
 easiest
 way.

 As I need redundancy and don't want to have it script managed, but one
 central point where I can tal to I use a loadbalancer.

 Well, if you can control clients then the easiest and most universal
 way
 is to
 use DNS SRV records and add failover logic to clients. That solution
 works
 even when servers are geographically distributed/in different networks
 and
 does not have single point of failure (the load balancer).

 As I connect to the loadbalancer using DNAT, so the client IP is known
 on the IPA server because this is needed for the http service
 principals I need to add the loadbalancer hostname to my IPA server
 and make it as an ALT name to it's Certificate.

 As the users are the same on both servers I would asume i can use a
 keytab for a user against both servers from my clients.

 I'm talking about keytabs on the FreeIPA servers - services running on
 IPA
 server have their own keytabs too. Every service on every server has
 own
 keytab with different key.

 You need to talk with Simo or some other Kerberos guru about
 possibility
 of
 sharing keytabs between IPA services.

 Does this make it more clear ?

 I'm still not sure if you want to have human users too or just API
 clients.

 Petr^2 Spacek

 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 6.3.2015 15:13, Matt . wrote:

 Hi,

 But as the user is the same, I 

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-12 Thread Matt .
Hi Guys,

Is Rob able to look at this ? I hope he has some sparetime as I'm
kinda stuck with this issue.

Thanks!



2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com:
 I'm reviewing some things.

 When I'm using a loadbalancer, which I prefer in this setup I need to
 have the same certificates on both servers. Maybe a wildcard for my
 domain could do instead of having only both fqdn's of the servers
 including the loadbalancer's fqdn.

 But the question remains, how?



 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com:
 Hi,

 I will balance with IP persistance so I think there won't be any
 mixing as long as that used server is online.

 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com:
 On 03/06/2015 11:05 AM, Matt . wrote:

 OK, understood.

 But when a webservice does execute a command (from scripting) to a SVR
 record and the first is not reacable, would it try to do it again or
 will handle DNS this in front of it ?

 I do a kinit against an IPA server using a keytab after I first
 checked if the user was able to auth himself using his ldap
 credentials, if so, this kinit exec is fired and I do some CURL stuff
 to the IPA server.

 That's why I wanted a loadbalancer, the loadbalancer sees if a server
 is down and doesn't even try to direct any of the commands to it...
 I'm not sure if the SRV will handle this well when doing these command
 from PHP for an example. Building in extra checks in front could be
 done but it not ideal as a loadbalancer can handle such things much
 better.


 OK, this makes things much more clear. Thanks for the explanation.
 Rob. What is our failover logic for API?

 For CLI we use a negotiation and then we store a cookie so as long as the
 whole conversation goes to the same server you should be fine. I do not
 think you need to re-encrypt the traffic at load balancer and thus have a
 cert there then if you can enforce the use of the same server in this case.

 The issue I anticipate is with Kerberos. I think you should not load balance
 the Kerberos traffic, only the API commands starting with the negotiation.

 Rob does that make sense for you?



 Thanks!

 Cheers,

 Matt

 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com:

 On 03/06/2015 10:24 AM, Matt . wrote:

 Hi,

 I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
 SRV won't fit here sorry to say.

 I auth users, so their keytab should be the same between two masters I
 believe ?


 Each entity in Kerberos exchange has its own identity and key.
 If you send a ticket that is destined to service A instead to service B
 it
 would not work unless they share the same keys and identity. Sharinf same
 keys and identities between the servers just would not work with IPA.
 Keep in mind that IPA clients and server need to work and fail over if
 you
 do not have any load balancers and this is the common case. You are
 trying
 to add one where it is really not needed creating overhead for yourself.



 In that case... I need to add the altnames to the certs, but I'm not
 100% there in step 6

 Thanks again!

 Cheers,

 Matthijs

 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 6.3.2015 15:39, Matt . wrote:

 I have 2 IPA servers where I kinit to and post to the api using
 curl/json.

 If we are talking purely about scripting, you can use IPA Python API.
 It
 will
 handle fail over for you even without any load balancer. That would be
 easiest
 way.

 As I need redundancy and don't want to have it script managed, but one
 central point where I can tal to I use a loadbalancer.

 Well, if you can control clients then the easiest and most universal
 way
 is to
 use DNS SRV records and add failover logic to clients. That solution
 works
 even when servers are geographically distributed/in different networks
 and
 does not have single point of failure (the load balancer).

 As I connect to the loadbalancer using DNAT, so the client IP is known
 on the IPA server because this is needed for the http service
 principals I need to add the loadbalancer hostname to my IPA server
 and make it as an ALT name to it's Certificate.

 As the users are the same on both servers I would asume i can use a
 keytab for a user against both servers from my clients.

 I'm talking about keytabs on the FreeIPA servers - services running on
 IPA
 server have their own keytabs too. Every service on every server has
 own
 keytab with different key.

 You need to talk with Simo or some other Kerberos guru about
 possibility
 of
 sharing keytabs between IPA services.

 Does this make it more clear ?

 I'm still not sure if you want to have human users too or just API
 clients.

 Petr^2 Spacek

 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 6.3.2015 15:13, Matt . wrote:

 Hi,

 But as the user is the same, I could use the same keytab for each
 ipa
 server ?

 I need to use the API indeed, so need to issue the http service.

 Any other options ?

 I do not really understand your 

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-08 Thread Matt .
I'm reviewing some things.

When I'm using a loadbalancer, which I prefer in this setup I need to
have the same certificates on both servers. Maybe a wildcard for my
domain could do instead of having only both fqdn's of the servers
including the loadbalancer's fqdn.

But the question remains, how?



2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com:
 Hi,

 I will balance with IP persistance so I think there won't be any
 mixing as long as that used server is online.

 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com:
 On 03/06/2015 11:05 AM, Matt . wrote:

 OK, understood.

 But when a webservice does execute a command (from scripting) to a SVR
 record and the first is not reacable, would it try to do it again or
 will handle DNS this in front of it ?

 I do a kinit against an IPA server using a keytab after I first
 checked if the user was able to auth himself using his ldap
 credentials, if so, this kinit exec is fired and I do some CURL stuff
 to the IPA server.

 That's why I wanted a loadbalancer, the loadbalancer sees if a server
 is down and doesn't even try to direct any of the commands to it...
 I'm not sure if the SRV will handle this well when doing these command
 from PHP for an example. Building in extra checks in front could be
 done but it not ideal as a loadbalancer can handle such things much
 better.


 OK, this makes things much more clear. Thanks for the explanation.
 Rob. What is our failover logic for API?

 For CLI we use a negotiation and then we store a cookie so as long as the
 whole conversation goes to the same server you should be fine. I do not
 think you need to re-encrypt the traffic at load balancer and thus have a
 cert there then if you can enforce the use of the same server in this case.

 The issue I anticipate is with Kerberos. I think you should not load balance
 the Kerberos traffic, only the API commands starting with the negotiation.

 Rob does that make sense for you?



 Thanks!

 Cheers,

 Matt

 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com:

 On 03/06/2015 10:24 AM, Matt . wrote:

 Hi,

 I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
 SRV won't fit here sorry to say.

 I auth users, so their keytab should be the same between two masters I
 believe ?


 Each entity in Kerberos exchange has its own identity and key.
 If you send a ticket that is destined to service A instead to service B
 it
 would not work unless they share the same keys and identity. Sharinf same
 keys and identities between the servers just would not work with IPA.
 Keep in mind that IPA clients and server need to work and fail over if
 you
 do not have any load balancers and this is the common case. You are
 trying
 to add one where it is really not needed creating overhead for yourself.



 In that case... I need to add the altnames to the certs, but I'm not
 100% there in step 6

 Thanks again!

 Cheers,

 Matthijs

 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 6.3.2015 15:39, Matt . wrote:

 I have 2 IPA servers where I kinit to and post to the api using
 curl/json.

 If we are talking purely about scripting, you can use IPA Python API.
 It
 will
 handle fail over for you even without any load balancer. That would be
 easiest
 way.

 As I need redundancy and don't want to have it script managed, but one
 central point where I can tal to I use a loadbalancer.

 Well, if you can control clients then the easiest and most universal
 way
 is to
 use DNS SRV records and add failover logic to clients. That solution
 works
 even when servers are geographically distributed/in different networks
 and
 does not have single point of failure (the load balancer).

 As I connect to the loadbalancer using DNAT, so the client IP is known
 on the IPA server because this is needed for the http service
 principals I need to add the loadbalancer hostname to my IPA server
 and make it as an ALT name to it's Certificate.

 As the users are the same on both servers I would asume i can use a
 keytab for a user against both servers from my clients.

 I'm talking about keytabs on the FreeIPA servers - services running on
 IPA
 server have their own keytabs too. Every service on every server has
 own
 keytab with different key.

 You need to talk with Simo or some other Kerberos guru about
 possibility
 of
 sharing keytabs between IPA services.

 Does this make it more clear ?

 I'm still not sure if you want to have human users too or just API
 clients.

 Petr^2 Spacek

 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 6.3.2015 15:13, Matt . wrote:

 Hi,

 But as the user is the same, I could use the same keytab for each
 ipa
 server ?

 I need to use the API indeed, so need to issue the http service.

 Any other options ?

 I do not really understand your use case. Could you describe it in
 detail, please?

 Petr^2 Spacek

 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 6.3.2015 14:08, Martin Kosek wrote:

 I'm 

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-07 Thread Matt .
Hi,

I will balance with IP persistance so I think there won't be any
mixing as long as that used server is online.

2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com:
 On 03/06/2015 11:05 AM, Matt . wrote:

 OK, understood.

 But when a webservice does execute a command (from scripting) to a SVR
 record and the first is not reacable, would it try to do it again or
 will handle DNS this in front of it ?

 I do a kinit against an IPA server using a keytab after I first
 checked if the user was able to auth himself using his ldap
 credentials, if so, this kinit exec is fired and I do some CURL stuff
 to the IPA server.

 That's why I wanted a loadbalancer, the loadbalancer sees if a server
 is down and doesn't even try to direct any of the commands to it...
 I'm not sure if the SRV will handle this well when doing these command
 from PHP for an example. Building in extra checks in front could be
 done but it not ideal as a loadbalancer can handle such things much
 better.


 OK, this makes things much more clear. Thanks for the explanation.
 Rob. What is our failover logic for API?

 For CLI we use a negotiation and then we store a cookie so as long as the
 whole conversation goes to the same server you should be fine. I do not
 think you need to re-encrypt the traffic at load balancer and thus have a
 cert there then if you can enforce the use of the same server in this case.

 The issue I anticipate is with Kerberos. I think you should not load balance
 the Kerberos traffic, only the API commands starting with the negotiation.

 Rob does that make sense for you?



 Thanks!

 Cheers,

 Matt

 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com:

 On 03/06/2015 10:24 AM, Matt . wrote:

 Hi,

 I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
 SRV won't fit here sorry to say.

 I auth users, so their keytab should be the same between two masters I
 believe ?


 Each entity in Kerberos exchange has its own identity and key.
 If you send a ticket that is destined to service A instead to service B
 it
 would not work unless they share the same keys and identity. Sharinf same
 keys and identities between the servers just would not work with IPA.
 Keep in mind that IPA clients and server need to work and fail over if
 you
 do not have any load balancers and this is the common case. You are
 trying
 to add one where it is really not needed creating overhead for yourself.



 In that case... I need to add the altnames to the certs, but I'm not
 100% there in step 6

 Thanks again!

 Cheers,

 Matthijs

 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 6.3.2015 15:39, Matt . wrote:

 I have 2 IPA servers where I kinit to and post to the api using
 curl/json.

 If we are talking purely about scripting, you can use IPA Python API.
 It
 will
 handle fail over for you even without any load balancer. That would be
 easiest
 way.

 As I need redundancy and don't want to have it script managed, but one
 central point where I can tal to I use a loadbalancer.

 Well, if you can control clients then the easiest and most universal
 way
 is to
 use DNS SRV records and add failover logic to clients. That solution
 works
 even when servers are geographically distributed/in different networks
 and
 does not have single point of failure (the load balancer).

 As I connect to the loadbalancer using DNAT, so the client IP is known
 on the IPA server because this is needed for the http service
 principals I need to add the loadbalancer hostname to my IPA server
 and make it as an ALT name to it's Certificate.

 As the users are the same on both servers I would asume i can use a
 keytab for a user against both servers from my clients.

 I'm talking about keytabs on the FreeIPA servers - services running on
 IPA
 server have their own keytabs too. Every service on every server has
 own
 keytab with different key.

 You need to talk with Simo or some other Kerberos guru about
 possibility
 of
 sharing keytabs between IPA services.

 Does this make it more clear ?

 I'm still not sure if you want to have human users too or just API
 clients.

 Petr^2 Spacek

 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 6.3.2015 15:13, Matt . wrote:

 Hi,

 But as the user is the same, I could use the same keytab for each
 ipa
 server ?

 I need to use the API indeed, so need to issue the http service.

 Any other options ?

 I do not really understand your use case. Could you describe it in
 detail, please?

 Petr^2 Spacek

 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 6.3.2015 14:08, Martin Kosek wrote:

 I'm figuring out how to regenerate the webserver certificates so I
 can
 use a loadbalancer in front of my ipa servers.

 Are you talking about FreeIPA web interface? It is technically
 possible to use
 load-balancer but it will be really hacky. You would have to solve
 certificates and also distribute shared keytabs and so on.

 I would recommend you to use something 

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
Hi,

But as the user is the same, I could use the same keytab for each ipa server ?

I need to use the API indeed, so need to issue the http service.

Any other options ?



2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com:
 On 6.3.2015 14:08, Martin Kosek wrote:
 I'm figuring out how to regenerate the webserver certificates so I can
 use a loadbalancer in front of my ipa servers.

 Are you talking about FreeIPA web interface? It is technically possible to use
 load-balancer but it will be really hacky. You would have to solve
 certificates and also distribute shared keytabs and so on.

 I would recommend you to use something which issues HTTP redirect to ipa
 server 1/2/3/4/5 according to current state instead of using classical load
 balancer on the network level. Normal HTTP redirect will not force you to mess
 with certs and keytabs.

 --
 Petr^2 Spacek

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Petr Spacek
On 6.3.2015 15:13, Matt . wrote:
 Hi,
 
 But as the user is the same, I could use the same keytab for each ipa server ?
 
 I need to use the API indeed, so need to issue the http service.
 
 Any other options ?

I do not really understand your use case. Could you describe it in detail, 
please?

Petr^2 Spacek

 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com:
 On 6.3.2015 14:08, Martin Kosek wrote:
 I'm figuring out how to regenerate the webserver certificates so I can
 use a loadbalancer in front of my ipa servers.

 Are you talking about FreeIPA web interface? It is technically possible to 
 use
 load-balancer but it will be really hacky. You would have to solve
 certificates and also distribute shared keytabs and so on.

 I would recommend you to use something which issues HTTP redirect to ipa
 server 1/2/3/4/5 according to current state instead of using classical load
 balancer on the network level. Normal HTTP redirect will not force you to 
 mess
 with certs and keytabs.

 --
 Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
I have 2 IPA servers where I kinit to and post to the api using curl/json.

As I need redundancy and don't want to have it script managed, but one
central point where I can tal to I use a loadbalancer.

As I connect to the loadbalancer using DNAT, so the client IP is known
on the IPA server because this is needed for the http service
principals I need to add the loadbalancer hostname to my IPA server
and make it as an ALT name to it's Certificate.

As the users are the same on both servers I would asume i can use a
keytab for a user against both servers from my clients.

Does this make it more clear ?

2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com:
 On 6.3.2015 15:13, Matt . wrote:
 Hi,

 But as the user is the same, I could use the same keytab for each ipa server 
 ?

 I need to use the API indeed, so need to issue the http service.

 Any other options ?

 I do not really understand your use case. Could you describe it in detail, 
 please?

 Petr^2 Spacek

 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com:
 On 6.3.2015 14:08, Martin Kosek wrote:
 I'm figuring out how to regenerate the webserver certificates so I can
 use a loadbalancer in front of my ipa servers.

 Are you talking about FreeIPA web interface? It is technically possible to 
 use
 load-balancer but it will be really hacky. You would have to solve
 certificates and also distribute shared keytabs and so on.

 I would recommend you to use something which issues HTTP redirect to ipa
 server 1/2/3/4/5 according to current state instead of using classical load
 balancer on the network level. Normal HTTP redirect will not force you to 
 mess
 with certs and keytabs.

 --
 Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Petr Spacek
On 6.3.2015 16:24, Matt . wrote:
 Hi,
 
 I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
 SRV won't fit here sorry to say.
 
 I auth users, so their keytab should be the same between two masters I 
 believe ?

Keytabs are used by Kerberos and MIT kerberos libraries fully support SRV
records and failover.

 
 In that case... I need to add the altnames to the certs, but I'm not
 100% there in step 6

I hope someone else can advise you how to do that but be prepared for hickups,
this setup is not tested.

Petr^2 Spacek

 
 Thanks again!
 
 Cheers,
 
 Matthijs
 
 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com:
 On 6.3.2015 15:39, Matt . wrote:
 I have 2 IPA servers where I kinit to and post to the api using curl/json.

 If we are talking purely about scripting, you can use IPA Python API. It will
 handle fail over for you even without any load balancer. That would be 
 easiest
 way.

 As I need redundancy and don't want to have it script managed, but one
 central point where I can tal to I use a loadbalancer.

 Well, if you can control clients then the easiest and most universal way is 
 to
 use DNS SRV records and add failover logic to clients. That solution works
 even when servers are geographically distributed/in different networks and
 does not have single point of failure (the load balancer).

 As I connect to the loadbalancer using DNAT, so the client IP is known
 on the IPA server because this is needed for the http service
 principals I need to add the loadbalancer hostname to my IPA server
 and make it as an ALT name to it's Certificate.

 As the users are the same on both servers I would asume i can use a
 keytab for a user against both servers from my clients.

 I'm talking about keytabs on the FreeIPA servers - services running on IPA
 server have their own keytabs too. Every service on every server has own
 keytab with different key.

 You need to talk with Simo or some other Kerberos guru about possibility of
 sharing keytabs between IPA services.

 Does this make it more clear ?

 I'm still not sure if you want to have human users too or just API clients.

 Petr^2 Spacek

 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com:
 On 6.3.2015 15:13, Matt . wrote:
 Hi,

 But as the user is the same, I could use the same keytab for each ipa 
 server ?

 I need to use the API indeed, so need to issue the http service.

 Any other options ?

 I do not really understand your use case. Could you describe it in detail, 
 please?

 Petr^2 Spacek

 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com:
 On 6.3.2015 14:08, Martin Kosek wrote:
 I'm figuring out how to regenerate the webserver certificates so I can
 use a loadbalancer in front of my ipa servers.

 Are you talking about FreeIPA web interface? It is technically possible 
 to use
 load-balancer but it will be really hacky. You would have to solve
 certificates and also distribute shared keytabs and so on.

 I would recommend you to use something which issues HTTP redirect to 
 ipa
 server 1/2/3/4/5 according to current state instead of using classical 
 load
 balancer on the network level. Normal HTTP redirect will not force you 
 to mess
 with certs and keytabs.

 --
 Petr^2 Spacek


 --
 Petr Spacek  @  Red Hat


-- 
Petr Spacek  @  Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Petr Spacek
On 6.3.2015 15:39, Matt . wrote:
 I have 2 IPA servers where I kinit to and post to the api using curl/json.

If we are talking purely about scripting, you can use IPA Python API. It will
handle fail over for you even without any load balancer. That would be easiest
way.

 As I need redundancy and don't want to have it script managed, but one
 central point where I can tal to I use a loadbalancer.

Well, if you can control clients then the easiest and most universal way is to
use DNS SRV records and add failover logic to clients. That solution works
even when servers are geographically distributed/in different networks and
does not have single point of failure (the load balancer).

 As I connect to the loadbalancer using DNAT, so the client IP is known
 on the IPA server because this is needed for the http service
 principals I need to add the loadbalancer hostname to my IPA server
 and make it as an ALT name to it's Certificate.
 
 As the users are the same on both servers I would asume i can use a
 keytab for a user against both servers from my clients.

I'm talking about keytabs on the FreeIPA servers - services running on IPA
server have their own keytabs too. Every service on every server has own
keytab with different key.

You need to talk with Simo or some other Kerberos guru about possibility of
sharing keytabs between IPA services.

 Does this make it more clear ?

I'm still not sure if you want to have human users too or just API clients.

Petr^2 Spacek

 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com:
 On 6.3.2015 15:13, Matt . wrote:
 Hi,

 But as the user is the same, I could use the same keytab for each ipa 
 server ?

 I need to use the API indeed, so need to issue the http service.

 Any other options ?

 I do not really understand your use case. Could you describe it in detail, 
 please?

 Petr^2 Spacek

 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com:
 On 6.3.2015 14:08, Martin Kosek wrote:
 I'm figuring out how to regenerate the webserver certificates so I can
 use a loadbalancer in front of my ipa servers.

 Are you talking about FreeIPA web interface? It is technically possible to 
 use
 load-balancer but it will be really hacky. You would have to solve
 certificates and also distribute shared keytabs and so on.

 I would recommend you to use something which issues HTTP redirect to ipa
 server 1/2/3/4/5 according to current state instead of using classical load
 balancer on the network level. Normal HTTP redirect will not force you to 
 mess
 with certs and keytabs.

 --
 Petr^2 Spacek


-- 
Petr Spacek  @  Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
Hi,

I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
SRV won't fit here sorry to say.

I auth users, so their keytab should be the same between two masters I believe ?

In that case... I need to add the altnames to the certs, but I'm not
100% there in step 6

Thanks again!

Cheers,

Matthijs

2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com:
 On 6.3.2015 15:39, Matt . wrote:
 I have 2 IPA servers where I kinit to and post to the api using curl/json.

 If we are talking purely about scripting, you can use IPA Python API. It will
 handle fail over for you even without any load balancer. That would be easiest
 way.

 As I need redundancy and don't want to have it script managed, but one
 central point where I can tal to I use a loadbalancer.

 Well, if you can control clients then the easiest and most universal way is to
 use DNS SRV records and add failover logic to clients. That solution works
 even when servers are geographically distributed/in different networks and
 does not have single point of failure (the load balancer).

 As I connect to the loadbalancer using DNAT, so the client IP is known
 on the IPA server because this is needed for the http service
 principals I need to add the loadbalancer hostname to my IPA server
 and make it as an ALT name to it's Certificate.

 As the users are the same on both servers I would asume i can use a
 keytab for a user against both servers from my clients.

 I'm talking about keytabs on the FreeIPA servers - services running on IPA
 server have their own keytabs too. Every service on every server has own
 keytab with different key.

 You need to talk with Simo or some other Kerberos guru about possibility of
 sharing keytabs between IPA services.

 Does this make it more clear ?

 I'm still not sure if you want to have human users too or just API clients.

 Petr^2 Spacek

 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com:
 On 6.3.2015 15:13, Matt . wrote:
 Hi,

 But as the user is the same, I could use the same keytab for each ipa 
 server ?

 I need to use the API indeed, so need to issue the http service.

 Any other options ?

 I do not really understand your use case. Could you describe it in detail, 
 please?

 Petr^2 Spacek

 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com:
 On 6.3.2015 14:08, Martin Kosek wrote:
 I'm figuring out how to regenerate the webserver certificates so I can
 use a loadbalancer in front of my ipa servers.

 Are you talking about FreeIPA web interface? It is technically possible 
 to use
 load-balancer but it will be really hacky. You would have to solve
 certificates and also distribute shared keytabs and so on.

 I would recommend you to use something which issues HTTP redirect to ipa
 server 1/2/3/4/5 according to current state instead of using classical 
 load
 balancer on the network level. Normal HTTP redirect will not force you to 
 mess
 with certs and keytabs.

 --
 Petr^2 Spacek


 --
 Petr Spacek  @  Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Petr Spacek
On 6.3.2015 14:08, Martin Kosek wrote:
 I'm figuring out how to regenerate the webserver certificates so I can
 use a loadbalancer in front of my ipa servers.

Are you talking about FreeIPA web interface? It is technically possible to use
load-balancer but it will be really hacky. You would have to solve
certificates and also distribute shared keytabs and so on.

I would recommend you to use something which issues HTTP redirect to ipa
server 1/2/3/4/5 according to current state instead of using classical load
balancer on the network level. Normal HTTP redirect will not force you to mess
with certs and keytabs.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Martin Kosek

On 03/06/2015 01:30 PM, Matt . wrote:

Hi,

I'm figuring out how to regenerate the webserver certificates so I can
use a loadbalancer in front of my ipa servers.

I see in the docs there is information about this, but not for the
webservice. Does anyone have some directions ?

Thanks.

Matt



Certificate SubjectAltName was fixed in FreeIPA 4.0, this is the upstream 
ticket:
https://fedorahosted.org/freeipa/ticket/3977

The procedure is described in upstream wiki for example:
http://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger

HTH,
Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
Hi Martin,

Thanks, I saw that ticket but didn't got to the wiki part yet.

What I wonder in Step 6:

6. Request a signed certificate for the service and see the entry in
Certmonger. In case you created a NSS database with a PIN (see the
step 3.), use -P $PIN or -p /etc/httpd/nssdb/pwdfile.txt option to
tell certmonger about it: # ipa-getcert request -d /etc/httpd/nssdb -n
Server-Cert -K HTTP/`hostname` -N CN=`hostname`,O=EXAMPLE.COM -g 2048
-p /etc/httpd/nssdb/pwdfile.txt

SAN names: in FreeIPA 4.0 and later, you can add optional SAN DNS
names to your request with -D. Note that you need to first create
respective host or service objects and configure that given host can
manage them with service-add-host or host-add-managedby command. These
objects are being verified when FreeIPA cert-req command authorizes
the SAN names.

Can I just add the alt names in that command, how should I proceed ? I
added the host like

ldap.domain... where my ldap servers are ldap-01 and ldap-02

Thanks!

Matt

2015-03-06 14:08 GMT+01:00 Martin Kosek mko...@redhat.com:
 On 03/06/2015 01:30 PM, Matt . wrote:

 Hi,

 I'm figuring out how to regenerate the webserver certificates so I can
 use a loadbalancer in front of my ipa servers.

 I see in the docs there is information about this, but not for the
 webservice. Does anyone have some directions ?

 Thanks.

 Matt


 Certificate SubjectAltName was fixed in FreeIPA 4.0, this is the upstream
 ticket:
 https://fedorahosted.org/freeipa/ticket/3977

 The procedure is described in upstream wiki for example:
 http://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger

 HTH,
 Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Simo Sorce
On Fri, 2015-03-06 at 16:24 +0100, Matt . wrote:
 Hi,
 
 I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
 SRV won't fit here sorry to say.
 
 I auth users, so their keytab should be the same between two masters I 
 believe ?

What kind of load balancing ?

An IPA server offers multiple different kerberized services, not all of
them may be able to work using multiple keys (you would need one key for
the real name and one for the load balanced name).

Simo.

 In that case... I need to add the altnames to the certs, but I'm not
 100% there in step 6
 
 Thanks again!
 
 Cheers,
 
 Matthijs
 
 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com:
  On 6.3.2015 15:39, Matt . wrote:
  I have 2 IPA servers where I kinit to and post to the api using curl/json.
 
  If we are talking purely about scripting, you can use IPA Python API. It 
  will
  handle fail over for you even without any load balancer. That would be 
  easiest
  way.
 
  As I need redundancy and don't want to have it script managed, but one
  central point where I can tal to I use a loadbalancer.
 
  Well, if you can control clients then the easiest and most universal way is 
  to
  use DNS SRV records and add failover logic to clients. That solution works
  even when servers are geographically distributed/in different networks and
  does not have single point of failure (the load balancer).
 
  As I connect to the loadbalancer using DNAT, so the client IP is known
  on the IPA server because this is needed for the http service
  principals I need to add the loadbalancer hostname to my IPA server
  and make it as an ALT name to it's Certificate.
 
  As the users are the same on both servers I would asume i can use a
  keytab for a user against both servers from my clients.
 
  I'm talking about keytabs on the FreeIPA servers - services running on IPA
  server have their own keytabs too. Every service on every server has own
  keytab with different key.
 
  You need to talk with Simo or some other Kerberos guru about possibility of
  sharing keytabs between IPA services.
 
  Does this make it more clear ?
 
  I'm still not sure if you want to have human users too or just API clients.
 
  Petr^2 Spacek
 
  2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com:
  On 6.3.2015 15:13, Matt . wrote:
  Hi,
 
  But as the user is the same, I could use the same keytab for each ipa 
  server ?
 
  I need to use the API indeed, so need to issue the http service.
 
  Any other options ?
 
  I do not really understand your use case. Could you describe it in 
  detail, please?
 
  Petr^2 Spacek
 
  2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com:
  On 6.3.2015 14:08, Martin Kosek wrote:
  I'm figuring out how to regenerate the webserver certificates so I can
  use a loadbalancer in front of my ipa servers.
 
  Are you talking about FreeIPA web interface? It is technically possible 
  to use
  load-balancer but it will be really hacky. You would have to solve
  certificates and also distribute shared keytabs and so on.
 
  I would recommend you to use something which issues HTTP redirect to 
  ipa
  server 1/2/3/4/5 according to current state instead of using classical 
  load
  balancer on the network level. Normal HTTP redirect will not force you 
  to mess
  with certs and keytabs.
 
  --
  Petr^2 Spacek
 
 
  --
  Petr Spacek  @  Red Hat


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Dmitri Pal

On 03/06/2015 10:24 AM, Matt . wrote:

Hi,

I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
SRV won't fit here sorry to say.

I auth users, so their keytab should be the same between two masters I believe ?


Each entity in Kerberos exchange has its own identity and key.
If you send a ticket that is destined to service A instead to service B 
it would not work unless they share the same keys and identity. Sharinf 
same keys and identities between the servers just would not work with IPA.
Keep in mind that IPA clients and server need to work and fail over if 
you do not have any load balancers and this is the common case. You are 
trying to add one where it is really not needed creating overhead for 
yourself.





In that case... I need to add the altnames to the certs, but I'm not
100% there in step 6

Thanks again!

Cheers,

Matthijs

2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com:

On 6.3.2015 15:39, Matt . wrote:

I have 2 IPA servers where I kinit to and post to the api using curl/json.

If we are talking purely about scripting, you can use IPA Python API. It will
handle fail over for you even without any load balancer. That would be easiest
way.


As I need redundancy and don't want to have it script managed, but one
central point where I can tal to I use a loadbalancer.

Well, if you can control clients then the easiest and most universal way is to
use DNS SRV records and add failover logic to clients. That solution works
even when servers are geographically distributed/in different networks and
does not have single point of failure (the load balancer).


As I connect to the loadbalancer using DNAT, so the client IP is known
on the IPA server because this is needed for the http service
principals I need to add the loadbalancer hostname to my IPA server
and make it as an ALT name to it's Certificate.

As the users are the same on both servers I would asume i can use a
keytab for a user against both servers from my clients.

I'm talking about keytabs on the FreeIPA servers - services running on IPA
server have their own keytabs too. Every service on every server has own
keytab with different key.

You need to talk with Simo or some other Kerberos guru about possibility of
sharing keytabs between IPA services.


Does this make it more clear ?

I'm still not sure if you want to have human users too or just API clients.

Petr^2 Spacek


2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com:

On 6.3.2015 15:13, Matt . wrote:

Hi,

But as the user is the same, I could use the same keytab for each ipa server ?

I need to use the API indeed, so need to issue the http service.

Any other options ?

I do not really understand your use case. Could you describe it in detail, 
please?

Petr^2 Spacek


2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com:

On 6.3.2015 14:08, Martin Kosek wrote:

I'm figuring out how to regenerate the webserver certificates so I can
use a loadbalancer in front of my ipa servers.

Are you talking about FreeIPA web interface? It is technically possible to use
load-balancer but it will be really hacky. You would have to solve
certificates and also distribute shared keytabs and so on.

I would recommend you to use something which issues HTTP redirect to ipa
server 1/2/3/4/5 according to current state instead of using classical load
balancer on the network level. Normal HTTP redirect will not force you to mess
with certs and keytabs.

--
Petr^2 Spacek


--
Petr Spacek  @  Red Hat



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
OK, understood.

But when a webservice does execute a command (from scripting) to a SVR
record and the first is not reacable, would it try to do it again or
will handle DNS this in front of it ?

I do a kinit against an IPA server using a keytab after I first
checked if the user was able to auth himself using his ldap
credentials, if so, this kinit exec is fired and I do some CURL stuff
to the IPA server.

That's why I wanted a loadbalancer, the loadbalancer sees if a server
is down and doesn't even try to direct any of the commands to it...
I'm not sure if the SRV will handle this well when doing these command
from PHP for an example. Building in extra checks in front could be
done but it not ideal as a loadbalancer can handle such things much
better.

Thanks!

Cheers,

Matt

2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com:
 On 03/06/2015 10:24 AM, Matt . wrote:

 Hi,

 I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
 SRV won't fit here sorry to say.

 I auth users, so their keytab should be the same between two masters I
 believe ?


 Each entity in Kerberos exchange has its own identity and key.
 If you send a ticket that is destined to service A instead to service B it
 would not work unless they share the same keys and identity. Sharinf same
 keys and identities between the servers just would not work with IPA.
 Keep in mind that IPA clients and server need to work and fail over if you
 do not have any load balancers and this is the common case. You are trying
 to add one where it is really not needed creating overhead for yourself.




 In that case... I need to add the altnames to the certs, but I'm not
 100% there in step 6

 Thanks again!

 Cheers,

 Matthijs

 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 6.3.2015 15:39, Matt . wrote:

 I have 2 IPA servers where I kinit to and post to the api using
 curl/json.

 If we are talking purely about scripting, you can use IPA Python API. It
 will
 handle fail over for you even without any load balancer. That would be
 easiest
 way.

 As I need redundancy and don't want to have it script managed, but one
 central point where I can tal to I use a loadbalancer.

 Well, if you can control clients then the easiest and most universal way
 is to
 use DNS SRV records and add failover logic to clients. That solution
 works
 even when servers are geographically distributed/in different networks
 and
 does not have single point of failure (the load balancer).

 As I connect to the loadbalancer using DNAT, so the client IP is known
 on the IPA server because this is needed for the http service
 principals I need to add the loadbalancer hostname to my IPA server
 and make it as an ALT name to it's Certificate.

 As the users are the same on both servers I would asume i can use a
 keytab for a user against both servers from my clients.

 I'm talking about keytabs on the FreeIPA servers - services running on
 IPA
 server have their own keytabs too. Every service on every server has own
 keytab with different key.

 You need to talk with Simo or some other Kerberos guru about possibility
 of
 sharing keytabs between IPA services.

 Does this make it more clear ?

 I'm still not sure if you want to have human users too or just API
 clients.

 Petr^2 Spacek

 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 6.3.2015 15:13, Matt . wrote:

 Hi,

 But as the user is the same, I could use the same keytab for each ipa
 server ?

 I need to use the API indeed, so need to issue the http service.

 Any other options ?

 I do not really understand your use case. Could you describe it in
 detail, please?

 Petr^2 Spacek

 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 6.3.2015 14:08, Martin Kosek wrote:

 I'm figuring out how to regenerate the webserver certificates so I
 can
 use a loadbalancer in front of my ipa servers.

 Are you talking about FreeIPA web interface? It is technically
 possible to use
 load-balancer but it will be really hacky. You would have to solve
 certificates and also distribute shared keytabs and so on.

 I would recommend you to use something which issues HTTP redirect
 to ipa
 server 1/2/3/4/5 according to current state instead of using
 classical load
 balancer on the network level. Normal HTTP redirect will not force
 you to mess
 with certs and keytabs.

 --
 Petr^2 Spacek


 --
 Petr Spacek  @  Red Hat



 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Dmitri Pal

On 03/06/2015 11:05 AM, Matt . wrote:

OK, understood.

But when a webservice does execute a command (from scripting) to a SVR
record and the first is not reacable, would it try to do it again or
will handle DNS this in front of it ?

I do a kinit against an IPA server using a keytab after I first
checked if the user was able to auth himself using his ldap
credentials, if so, this kinit exec is fired and I do some CURL stuff
to the IPA server.

That's why I wanted a loadbalancer, the loadbalancer sees if a server
is down and doesn't even try to direct any of the commands to it...
I'm not sure if the SRV will handle this well when doing these command
from PHP for an example. Building in extra checks in front could be
done but it not ideal as a loadbalancer can handle such things much
better.


OK, this makes things much more clear. Thanks for the explanation.
Rob. What is our failover logic for API?

For CLI we use a negotiation and then we store a cookie so as long as 
the whole conversation goes to the same server you should be fine. I do 
not think you need to re-encrypt the traffic at load balancer and thus 
have a cert there then if you can enforce the use of the same server in 
this case.


The issue I anticipate is with Kerberos. I think you should not load 
balance the Kerberos traffic, only the API commands starting with the 
negotiation.


Rob does that make sense for you?



Thanks!

Cheers,

Matt

2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com:

On 03/06/2015 10:24 AM, Matt . wrote:

Hi,

I'm really bound to a loadbalancer, as it's HA setup of loadbalancers,
SRV won't fit here sorry to say.

I auth users, so their keytab should be the same between two masters I
believe ?


Each entity in Kerberos exchange has its own identity and key.
If you send a ticket that is destined to service A instead to service B it
would not work unless they share the same keys and identity. Sharinf same
keys and identities between the servers just would not work with IPA.
Keep in mind that IPA clients and server need to work and fail over if you
do not have any load balancers and this is the common case. You are trying
to add one where it is really not needed creating overhead for yourself.




In that case... I need to add the altnames to the certs, but I'm not
100% there in step 6

Thanks again!

Cheers,

Matthijs

2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com:

On 6.3.2015 15:39, Matt . wrote:

I have 2 IPA servers where I kinit to and post to the api using
curl/json.

If we are talking purely about scripting, you can use IPA Python API. It
will
handle fail over for you even without any load balancer. That would be
easiest
way.


As I need redundancy and don't want to have it script managed, but one
central point where I can tal to I use a loadbalancer.

Well, if you can control clients then the easiest and most universal way
is to
use DNS SRV records and add failover logic to clients. That solution
works
even when servers are geographically distributed/in different networks
and
does not have single point of failure (the load balancer).


As I connect to the loadbalancer using DNAT, so the client IP is known
on the IPA server because this is needed for the http service
principals I need to add the loadbalancer hostname to my IPA server
and make it as an ALT name to it's Certificate.

As the users are the same on both servers I would asume i can use a
keytab for a user against both servers from my clients.

I'm talking about keytabs on the FreeIPA servers - services running on
IPA
server have their own keytabs too. Every service on every server has own
keytab with different key.

You need to talk with Simo or some other Kerberos guru about possibility
of
sharing keytabs between IPA services.


Does this make it more clear ?

I'm still not sure if you want to have human users too or just API
clients.

Petr^2 Spacek


2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com:

On 6.3.2015 15:13, Matt . wrote:

Hi,

But as the user is the same, I could use the same keytab for each ipa
server ?

I need to use the API indeed, so need to issue the http service.

Any other options ?

I do not really understand your use case. Could you describe it in
detail, please?

Petr^2 Spacek


2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com:

On 6.3.2015 14:08, Martin Kosek wrote:

I'm figuring out how to regenerate the webserver certificates so I
can
use a loadbalancer in front of my ipa servers.

Are you talking about FreeIPA web interface? It is technically
possible to use
load-balancer but it will be really hacky. You would have to solve
certificates and also distribute shared keytabs and so on.

I would recommend you to use something which issues HTTP redirect
to ipa
server 1/2/3/4/5 according to current state instead of using
classical load
balancer on the network level. Normal HTTP redirect will not force
you to mess
with certs and keytabs.

--
Petr^2 Spacek


--
Petr Spacek  @  Red Hat



--