Matt . wrote: > Hi, > > Security wise I can understand that. > > Yes I have read about that... but that would let me use the > loadbalancer to connect ? I was not sure if the SAN would "connect" as > "other" host.
Kerberos through a load balancer can be a problem. Is this what you're worried about? rob > > 2015-03-12 15:07 GMT+01:00 Rob Crittenden <[email protected]>: >> Matt . wrote: >>> Hi Guys, >>> >>> Is Rob able to look at this ? I hope he has some sparetime as I'm >>> kinda stuck with this issue. >> >> Wildcard certs are not supported. >> >> You can request a SAN with certmonger using -D <FQDN>. That will work >> with IPA 4.x for sure, maybe 3.3.5. >> >> rob >> >>> >>> Thanks! >>> >>> >>> >>> 2015-03-08 12:30 GMT+01:00 Matt . <[email protected]>: >>>> I'm reviewing some things. >>>> >>>> When I'm using a loadbalancer, which I prefer in this setup I need to >>>> have the same certificates on both servers. Maybe a wildcard for my >>>> domain could do instead of having only both fqdn's of the servers >>>> including the loadbalancer's fqdn. >>>> >>>> But the question remains, how? >>>> >>>> >>>> >>>> 2015-03-07 10:37 GMT+01:00 Matt . <[email protected]>: >>>>> Hi, >>>>> >>>>> I will balance with IP persistance so I think there won't be any >>>>> mixing as long as that "used" server is online. >>>>> >>>>> 2015-03-06 19:16 GMT+01:00 Dmitri Pal <[email protected]>: >>>>>> On 03/06/2015 11:05 AM, Matt . wrote: >>>>>>> >>>>>>> OK, understood. >>>>>>> >>>>>>> But when a webservice does execute a command (from scripting) to a SVR >>>>>>> record and the first is not reacable, would it try to do it again or >>>>>>> will handle DNS this in front of it ? >>>>>>> >>>>>>> I do a kinit against an IPA server using a keytab after I first >>>>>>> checked if the user was able to auth himself using his ldap >>>>>>> credentials, if so, this kinit exec is fired and I do some CURL stuff >>>>>>> to the IPA server. >>>>>>> >>>>>>> That's why I wanted a loadbalancer, the loadbalancer sees if a server >>>>>>> is down and doesn't even try to direct any of the commands to it... >>>>>>> I'm not sure if the SRV will handle this well when doing these command >>>>>>> from PHP for an example. Building in extra checks in front could be >>>>>>> done but it not ideal as a loadbalancer can handle such things much >>>>>>> better. >>>>>> >>>>>> >>>>>> OK, this makes things much more clear. Thanks for the explanation. >>>>>> Rob. What is our failover logic for API? >>>>>> >>>>>> For CLI we use a negotiation and then we store a cookie so as long as the >>>>>> whole conversation goes to the same server you should be fine. I do not >>>>>> think you need to re-encrypt the traffic at load balancer and thus have a >>>>>> cert there then if you can enforce the use of the same server in this >>>>>> case. >>>>>> >>>>>> The issue I anticipate is with Kerberos. I think you should not load >>>>>> balance >>>>>> the Kerberos traffic, only the API commands starting with the >>>>>> negotiation. >>>>>> >>>>>> Rob does that make sense for you? >>>>>> >>>>>> >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> Cheers, >>>>>>> >>>>>>> Matt >>>>>>> >>>>>>> 2015-03-06 16:41 GMT+01:00 Dmitri Pal <[email protected]>: >>>>>>>> >>>>>>>> On 03/06/2015 10:24 AM, Matt . wrote: >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, >>>>>>>>> SRV won't fit here sorry to say. >>>>>>>>> >>>>>>>>> I auth users, so their keytab should be the same between two masters I >>>>>>>>> believe ? >>>>>>>> >>>>>>>> >>>>>>>> Each entity in Kerberos exchange has its own identity and key. >>>>>>>> If you send a ticket that is destined to service A instead to service B >>>>>>>> it >>>>>>>> would not work unless they share the same keys and identity. Sharinf >>>>>>>> same >>>>>>>> keys and identities between the servers just would not work with IPA. >>>>>>>> Keep in mind that IPA clients and server need to work and fail over if >>>>>>>> you >>>>>>>> do not have any load balancers and this is the common case. You are >>>>>>>> trying >>>>>>>> to add one where it is really not needed creating overhead for >>>>>>>> yourself. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> In that case... I need to add the altnames to the certs, but I'm not >>>>>>>>> 100% there in step 6 >>>>>>>>> >>>>>>>>> Thanks again! >>>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> >>>>>>>>> Matthijs >>>>>>>>> >>>>>>>>> 2015-03-06 16:16 GMT+01:00 Petr Spacek <[email protected]>: >>>>>>>>>> >>>>>>>>>> On 6.3.2015 15:39, Matt . wrote: >>>>>>>>>>> >>>>>>>>>>> I have 2 IPA servers where I kinit to and post to the api using >>>>>>>>>>> curl/json. >>>>>>>>>> >>>>>>>>>> If we are talking purely about scripting, you can use IPA Python API. >>>>>>>>>> It >>>>>>>>>> will >>>>>>>>>> handle fail over for you even without any load balancer. That would >>>>>>>>>> be >>>>>>>>>> easiest >>>>>>>>>> way. >>>>>>>>>> >>>>>>>>>>> As I need redundancy and don't want to have it script managed, but >>>>>>>>>>> one >>>>>>>>>>> central point where I can tal to I use a loadbalancer. >>>>>>>>>> >>>>>>>>>> Well, if you can control clients then the easiest and most universal >>>>>>>>>> way >>>>>>>>>> is to >>>>>>>>>> use DNS SRV records and add failover logic to clients. That solution >>>>>>>>>> works >>>>>>>>>> even when servers are geographically distributed/in different >>>>>>>>>> networks >>>>>>>>>> and >>>>>>>>>> does not have single point of failure (the load balancer). >>>>>>>>>> >>>>>>>>>>> As I connect to the loadbalancer using DNAT, so the client IP is >>>>>>>>>>> known >>>>>>>>>>> on the IPA server because this is needed for the http service >>>>>>>>>>> principals I need to add the loadbalancer hostname to my IPA server >>>>>>>>>>> and make it as an ALT name to it's Certificate. >>>>>>>>>>> >>>>>>>>>>> As the users are the same on both servers I would asume i can use a >>>>>>>>>>> keytab for a user against both servers from my clients. >>>>>>>>>> >>>>>>>>>> I'm talking about keytabs on the FreeIPA servers - services running >>>>>>>>>> on >>>>>>>>>> IPA >>>>>>>>>> server have their own keytabs too. Every service on every server has >>>>>>>>>> own >>>>>>>>>> keytab with different key. >>>>>>>>>> >>>>>>>>>> You need to talk with Simo or some other Kerberos guru about >>>>>>>>>> possibility >>>>>>>>>> of >>>>>>>>>> sharing keytabs between IPA services. >>>>>>>>>> >>>>>>>>>>> Does this make it more clear ? >>>>>>>>>> >>>>>>>>>> I'm still not sure if you want to have human users too or just API >>>>>>>>>> clients. >>>>>>>>>> >>>>>>>>>> Petr^2 Spacek >>>>>>>>>> >>>>>>>>>>> 2015-03-06 15:31 GMT+01:00 Petr Spacek <[email protected]>: >>>>>>>>>>>> >>>>>>>>>>>> On 6.3.2015 15:13, Matt . wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Hi, >>>>>>>>>>>>> >>>>>>>>>>>>> But as the user is the same, I could use the same keytab for each >>>>>>>>>>>>> ipa >>>>>>>>>>>>> server ? >>>>>>>>>>>>> >>>>>>>>>>>>> I need to use the API indeed, so need to issue the http service. >>>>>>>>>>>>> >>>>>>>>>>>>> Any other options ? >>>>>>>>>>>> >>>>>>>>>>>> I do not really understand your use case. Could you describe it in >>>>>>>>>>>> detail, please? >>>>>>>>>>>> >>>>>>>>>>>> Petr^2 Spacek >>>>>>>>>>>> >>>>>>>>>>>>> 2015-03-06 14:24 GMT+01:00 Petr Spacek <[email protected]>: >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 6.3.2015 14:08, Martin Kosek wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I'm figuring out how to regenerate the webserver certificates >>>>>>>>>>>>>>> so I >>>>>>>>>>>>>>> can >>>>>>>>>>>>>>> use a loadbalancer in front of my ipa servers. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Are you talking about FreeIPA web interface? It is technically >>>>>>>>>>>>>> possible to use >>>>>>>>>>>>>> load-balancer but it will be really hacky. You would have to >>>>>>>>>>>>>> solve >>>>>>>>>>>>>> certificates and also distribute shared keytabs and so on. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I would recommend you to use "something" which issues HTTP >>>>>>>>>>>>>> redirect >>>>>>>>>>>>>> to ipa >>>>>>>>>>>>>> server 1/2/3/4/5 according to current state instead of using >>>>>>>>>>>>>> classical load >>>>>>>>>>>>>> balancer on the network level. Normal HTTP redirect will not >>>>>>>>>>>>>> force >>>>>>>>>>>>>> you to mess >>>>>>>>>>>>>> with certs and keytabs. >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Petr^2 Spacek >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Petr Spacek @ Red Hat >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thank you, >>>>>>>> Dmitri Pal >>>>>>>> >>>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>>> Red Hat, Inc. >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thank you, >>>>>> Dmitri Pal >>>>>> >>>>>> Sr. Engineering Manager IdM portfolio >>>>>> Red Hat, Inc. >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
