On Fri, 22 Jan 2010 11:35:22 -0800 Doug Chapman <[email protected]> wrote:
> We're currently running SunDS and using Citrix (Netscaler) load > balancers to keep the load on our client facing LDAP servers balanced > between 2 hosts. > > I'm evaluating FreeIPA and wondered if anyone can share any > experience with using IPA behind a load balancer (or point me at > wikidocs)? > > I know the ldap portion will work, it's the kerberos bits I'm > unfamiliar with. Note, this would only be for client connections, > not replication. Hi Doug, sorry for not replying earlier, I'd missed this message. With krb5 you only have a problem if you wan to use SASL/GSSAPI to authenticate LDAP clients to your servers. That's because clients need to acquire a ticket for the server their are going to connect, but you basically lie to clients by using a load balancer and changing target server without their knowledge. so clients will try to acquire a ticket in the name of the balancer (assuming you created a principal for it) and when they reach the server the server will not be able to use it. If you are not planning to use SASL/GSSAPI to authenticate clients to the LDAP server there should be no other issues. Note that in v2 with sssd as a client we assume we can use SASL/GSSAPI by default, but with current clients/freeipa server we don't. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
