Hi, I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, SRV won't fit here sorry to say.
I auth users, so their keytab should be the same between two masters I believe ? In that case... I need to add the altnames to the certs, but I'm not 100% there in step 6 Thanks again! Cheers, Matthijs 2015-03-06 16:16 GMT+01:00 Petr Spacek <[email protected]>: > On 6.3.2015 15:39, Matt . wrote: >> I have 2 IPA servers where I kinit to and post to the api using curl/json. > > If we are talking purely about scripting, you can use IPA Python API. It will > handle fail over for you even without any load balancer. That would be easiest > way. > >> As I need redundancy and don't want to have it script managed, but one >> central point where I can tal to I use a loadbalancer. > > Well, if you can control clients then the easiest and most universal way is to > use DNS SRV records and add failover logic to clients. That solution works > even when servers are geographically distributed/in different networks and > does not have single point of failure (the load balancer). > >> As I connect to the loadbalancer using DNAT, so the client IP is known >> on the IPA server because this is needed for the http service >> principals I need to add the loadbalancer hostname to my IPA server >> and make it as an ALT name to it's Certificate. >> >> As the users are the same on both servers I would asume i can use a >> keytab for a user against both servers from my clients. > > I'm talking about keytabs on the FreeIPA servers - services running on IPA > server have their own keytabs too. Every service on every server has own > keytab with different key. > > You need to talk with Simo or some other Kerberos guru about possibility of > sharing keytabs between IPA services. > >> Does this make it more clear ? > > I'm still not sure if you want to have human users too or just API clients. > > Petr^2 Spacek > >> 2015-03-06 15:31 GMT+01:00 Petr Spacek <[email protected]>: >>> On 6.3.2015 15:13, Matt . wrote: >>>> Hi, >>>> >>>> But as the user is the same, I could use the same keytab for each ipa >>>> server ? >>>> >>>> I need to use the API indeed, so need to issue the http service. >>>> >>>> Any other options ? >>> >>> I do not really understand your use case. Could you describe it in detail, >>> please? >>> >>> Petr^2 Spacek >>> >>>> 2015-03-06 14:24 GMT+01:00 Petr Spacek <[email protected]>: >>>>> On 6.3.2015 14:08, Martin Kosek wrote: >>>>>> I'm figuring out how to regenerate the webserver certificates so I can >>>>>> use a loadbalancer in front of my ipa servers. >>>>> >>>>> Are you talking about FreeIPA web interface? It is technically possible >>>>> to use >>>>> load-balancer but it will be really hacky. You would have to solve >>>>> certificates and also distribute shared keytabs and so on. >>>>> >>>>> I would recommend you to use "something" which issues HTTP redirect to ipa >>>>> server 1/2/3/4/5 according to current state instead of using classical >>>>> load >>>>> balancer on the network level. Normal HTTP redirect will not force you to >>>>> mess >>>>> with certs and keytabs. >>>>> >>>>> -- >>>>> Petr^2 Spacek > > > -- > Petr Spacek @ Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
