The right way to sequest a SAN, this seems to need some extra config file ?
2015-03-19 15:04 GMT+01:00 Rob Crittenden <[email protected]>: > Matt . wrote: >> Isn't this documented well (yet) ? > > Is what documented yet? > > rob > >> >> The RH docs are always very detailed about it, but I'm not sure >> here... I see solutions but not 100% from A to Z to make sure we do it >> the proper way. >> >> 2015-03-12 16:59 GMT+01:00 Matt . <[email protected]>: >>> Not worried, I need to try. >>> >>> I think it's not an issue as we use persistance for the connection. We >>> only do some user adding/chaging stuff, nothing really fancy but it >>> needs to be decent. As persistence comes in I think we don't have to >>> worry about it, we discussed that here earlier as I remember. >>> >>> Or do I ? >>> >>> Something else; did you had a nice PTO ? >>> >>> 2015-03-12 15:54 GMT+01:00 Rob Crittenden <[email protected]>: >>>> Matt . wrote: >>>>> Hi, >>>>> >>>>> Security wise I can understand that. >>>>> >>>>> Yes I have read about that... but that would let me use the >>>>> loadbalancer to connect ? I was not sure if the SAN would "connect" as >>>>> "other" host. >>>> >>>> Kerberos through a load balancer can be a problem. Is this what you're >>>> worried about? >>>> >>>> rob >>>> >>>>> >>>>> 2015-03-12 15:07 GMT+01:00 Rob Crittenden <[email protected]>: >>>>>> Matt . wrote: >>>>>>> Hi Guys, >>>>>>> >>>>>>> Is Rob able to look at this ? I hope he has some sparetime as I'm >>>>>>> kinda stuck with this issue. >>>>>> >>>>>> Wildcard certs are not supported. >>>>>> >>>>>> You can request a SAN with certmonger using -D <FQDN>. That will work >>>>>> with IPA 4.x for sure, maybe 3.3.5. >>>>>> >>>>>> rob >>>>>> >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> >>>>>>> >>>>>>> 2015-03-08 12:30 GMT+01:00 Matt . <[email protected]>: >>>>>>>> I'm reviewing some things. >>>>>>>> >>>>>>>> When I'm using a loadbalancer, which I prefer in this setup I need to >>>>>>>> have the same certificates on both servers. Maybe a wildcard for my >>>>>>>> domain could do instead of having only both fqdn's of the servers >>>>>>>> including the loadbalancer's fqdn. >>>>>>>> >>>>>>>> But the question remains, how? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> 2015-03-07 10:37 GMT+01:00 Matt . <[email protected]>: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I will balance with IP persistance so I think there won't be any >>>>>>>>> mixing as long as that "used" server is online. >>>>>>>>> >>>>>>>>> 2015-03-06 19:16 GMT+01:00 Dmitri Pal <[email protected]>: >>>>>>>>>> On 03/06/2015 11:05 AM, Matt . wrote: >>>>>>>>>>> >>>>>>>>>>> OK, understood. >>>>>>>>>>> >>>>>>>>>>> But when a webservice does execute a command (from scripting) to a >>>>>>>>>>> SVR >>>>>>>>>>> record and the first is not reacable, would it try to do it again or >>>>>>>>>>> will handle DNS this in front of it ? >>>>>>>>>>> >>>>>>>>>>> I do a kinit against an IPA server using a keytab after I first >>>>>>>>>>> checked if the user was able to auth himself using his ldap >>>>>>>>>>> credentials, if so, this kinit exec is fired and I do some CURL >>>>>>>>>>> stuff >>>>>>>>>>> to the IPA server. >>>>>>>>>>> >>>>>>>>>>> That's why I wanted a loadbalancer, the loadbalancer sees if a >>>>>>>>>>> server >>>>>>>>>>> is down and doesn't even try to direct any of the commands to it... >>>>>>>>>>> I'm not sure if the SRV will handle this well when doing these >>>>>>>>>>> command >>>>>>>>>>> from PHP for an example. Building in extra checks in front could be >>>>>>>>>>> done but it not ideal as a loadbalancer can handle such things much >>>>>>>>>>> better. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> OK, this makes things much more clear. Thanks for the explanation. >>>>>>>>>> Rob. What is our failover logic for API? >>>>>>>>>> >>>>>>>>>> For CLI we use a negotiation and then we store a cookie so as long >>>>>>>>>> as the >>>>>>>>>> whole conversation goes to the same server you should be fine. I do >>>>>>>>>> not >>>>>>>>>> think you need to re-encrypt the traffic at load balancer and thus >>>>>>>>>> have a >>>>>>>>>> cert there then if you can enforce the use of the same server in >>>>>>>>>> this case. >>>>>>>>>> >>>>>>>>>> The issue I anticipate is with Kerberos. I think you should not load >>>>>>>>>> balance >>>>>>>>>> the Kerberos traffic, only the API commands starting with the >>>>>>>>>> negotiation. >>>>>>>>>> >>>>>>>>>> Rob does that make sense for you? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Thanks! >>>>>>>>>>> >>>>>>>>>>> Cheers, >>>>>>>>>>> >>>>>>>>>>> Matt >>>>>>>>>>> >>>>>>>>>>> 2015-03-06 16:41 GMT+01:00 Dmitri Pal <[email protected]>: >>>>>>>>>>>> >>>>>>>>>>>> On 03/06/2015 10:24 AM, Matt . wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Hi, >>>>>>>>>>>>> >>>>>>>>>>>>> I'm really bound to a loadbalancer, as it's HA setup of >>>>>>>>>>>>> loadbalancers, >>>>>>>>>>>>> SRV won't fit here sorry to say. >>>>>>>>>>>>> >>>>>>>>>>>>> I auth users, so their keytab should be the same between two >>>>>>>>>>>>> masters I >>>>>>>>>>>>> believe ? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Each entity in Kerberos exchange has its own identity and key. >>>>>>>>>>>> If you send a ticket that is destined to service A instead to >>>>>>>>>>>> service B >>>>>>>>>>>> it >>>>>>>>>>>> would not work unless they share the same keys and identity. >>>>>>>>>>>> Sharinf same >>>>>>>>>>>> keys and identities between the servers just would not work with >>>>>>>>>>>> IPA. >>>>>>>>>>>> Keep in mind that IPA clients and server need to work and fail >>>>>>>>>>>> over if >>>>>>>>>>>> you >>>>>>>>>>>> do not have any load balancers and this is the common case. You are >>>>>>>>>>>> trying >>>>>>>>>>>> to add one where it is really not needed creating overhead for >>>>>>>>>>>> yourself. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> In that case... I need to add the altnames to the certs, but I'm >>>>>>>>>>>>> not >>>>>>>>>>>>> 100% there in step 6 >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks again! >>>>>>>>>>>>> >>>>>>>>>>>>> Cheers, >>>>>>>>>>>>> >>>>>>>>>>>>> Matthijs >>>>>>>>>>>>> >>>>>>>>>>>>> 2015-03-06 16:16 GMT+01:00 Petr Spacek <[email protected]>: >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 6.3.2015 15:39, Matt . wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I have 2 IPA servers where I kinit to and post to the api using >>>>>>>>>>>>>>> curl/json. >>>>>>>>>>>>>> >>>>>>>>>>>>>> If we are talking purely about scripting, you can use IPA Python >>>>>>>>>>>>>> API. >>>>>>>>>>>>>> It >>>>>>>>>>>>>> will >>>>>>>>>>>>>> handle fail over for you even without any load balancer. That >>>>>>>>>>>>>> would be >>>>>>>>>>>>>> easiest >>>>>>>>>>>>>> way. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> As I need redundancy and don't want to have it script managed, >>>>>>>>>>>>>>> but one >>>>>>>>>>>>>>> central point where I can tal to I use a loadbalancer. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Well, if you can control clients then the easiest and most >>>>>>>>>>>>>> universal >>>>>>>>>>>>>> way >>>>>>>>>>>>>> is to >>>>>>>>>>>>>> use DNS SRV records and add failover logic to clients. That >>>>>>>>>>>>>> solution >>>>>>>>>>>>>> works >>>>>>>>>>>>>> even when servers are geographically distributed/in different >>>>>>>>>>>>>> networks >>>>>>>>>>>>>> and >>>>>>>>>>>>>> does not have single point of failure (the load balancer). >>>>>>>>>>>>>> >>>>>>>>>>>>>>> As I connect to the loadbalancer using DNAT, so the client IP >>>>>>>>>>>>>>> is known >>>>>>>>>>>>>>> on the IPA server because this is needed for the http service >>>>>>>>>>>>>>> principals I need to add the loadbalancer hostname to my IPA >>>>>>>>>>>>>>> server >>>>>>>>>>>>>>> and make it as an ALT name to it's Certificate. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> As the users are the same on both servers I would asume i can >>>>>>>>>>>>>>> use a >>>>>>>>>>>>>>> keytab for a user against both servers from my clients. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I'm talking about keytabs on the FreeIPA servers - services >>>>>>>>>>>>>> running on >>>>>>>>>>>>>> IPA >>>>>>>>>>>>>> server have their own keytabs too. Every service on every server >>>>>>>>>>>>>> has >>>>>>>>>>>>>> own >>>>>>>>>>>>>> keytab with different key. >>>>>>>>>>>>>> >>>>>>>>>>>>>> You need to talk with Simo or some other Kerberos guru about >>>>>>>>>>>>>> possibility >>>>>>>>>>>>>> of >>>>>>>>>>>>>> sharing keytabs between IPA services. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Does this make it more clear ? >>>>>>>>>>>>>> >>>>>>>>>>>>>> I'm still not sure if you want to have human users too or just >>>>>>>>>>>>>> API >>>>>>>>>>>>>> clients. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Petr^2 Spacek >>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2015-03-06 15:31 GMT+01:00 Petr Spacek <[email protected]>: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 6.3.2015 15:13, Matt . wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> But as the user is the same, I could use the same keytab for >>>>>>>>>>>>>>>>> each >>>>>>>>>>>>>>>>> ipa >>>>>>>>>>>>>>>>> server ? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I need to use the API indeed, so need to issue the http >>>>>>>>>>>>>>>>> service. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Any other options ? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I do not really understand your use case. Could you describe >>>>>>>>>>>>>>>> it in >>>>>>>>>>>>>>>> detail, please? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Petr^2 Spacek >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 2015-03-06 14:24 GMT+01:00 Petr Spacek <[email protected]>: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 6.3.2015 14:08, Martin Kosek wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I'm figuring out how to regenerate the webserver >>>>>>>>>>>>>>>>>>> certificates so I >>>>>>>>>>>>>>>>>>> can >>>>>>>>>>>>>>>>>>> use a loadbalancer in front of my ipa servers. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Are you talking about FreeIPA web interface? It is >>>>>>>>>>>>>>>>>> technically >>>>>>>>>>>>>>>>>> possible to use >>>>>>>>>>>>>>>>>> load-balancer but it will be really hacky. You would have to >>>>>>>>>>>>>>>>>> solve >>>>>>>>>>>>>>>>>> certificates and also distribute shared keytabs and so on. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I would recommend you to use "something" which issues HTTP >>>>>>>>>>>>>>>>>> redirect >>>>>>>>>>>>>>>>>> to ipa >>>>>>>>>>>>>>>>>> server 1/2/3/4/5 according to current state instead of using >>>>>>>>>>>>>>>>>> classical load >>>>>>>>>>>>>>>>>> balancer on the network level. Normal HTTP redirect will not >>>>>>>>>>>>>>>>>> force >>>>>>>>>>>>>>>>>> you to mess >>>>>>>>>>>>>>>>>> with certs and keytabs. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>> Petr^2 Spacek >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Petr Spacek @ Red Hat >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Thank you, >>>>>>>>>>>> Dmitri Pal >>>>>>>>>>>> >>>>>>>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>>>>>>> Red Hat, Inc. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Thank you, >>>>>>>>>> Dmitri Pal >>>>>>>>>> >>>>>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>>>>> Red Hat, Inc. >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
