I have 2 IPA servers where I kinit to and post to the api using curl/json. As I need redundancy and don't want to have it script managed, but one central point where I can tal to I use a loadbalancer.
As I connect to the loadbalancer using DNAT, so the client IP is known on the IPA server because this is needed for the http service principals I need to add the loadbalancer hostname to my IPA server and make it as an ALT name to it's Certificate. As the users are the same on both servers I would asume i can use a keytab for a user against both servers from my clients. Does this make it more clear ? 2015-03-06 15:31 GMT+01:00 Petr Spacek <[email protected]>: > On 6.3.2015 15:13, Matt . wrote: >> Hi, >> >> But as the user is the same, I could use the same keytab for each ipa server >> ? >> >> I need to use the API indeed, so need to issue the http service. >> >> Any other options ? > > I do not really understand your use case. Could you describe it in detail, > please? > > Petr^2 Spacek > >> 2015-03-06 14:24 GMT+01:00 Petr Spacek <[email protected]>: >>> On 6.3.2015 14:08, Martin Kosek wrote: >>>> I'm figuring out how to regenerate the webserver certificates so I can >>>> use a loadbalancer in front of my ipa servers. >>> >>> Are you talking about FreeIPA web interface? It is technically possible to >>> use >>> load-balancer but it will be really hacky. You would have to solve >>> certificates and also distribute shared keytabs and so on. >>> >>> I would recommend you to use "something" which issues HTTP redirect to ipa >>> server 1/2/3/4/5 according to current state instead of using classical load >>> balancer on the network level. Normal HTTP redirect will not force you to >>> mess >>> with certs and keytabs. >>> >>> -- >>> Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
