Hi, Security wise I can understand that.
Yes I have read about that... but that would let me use the loadbalancer to connect ? I was not sure if the SAN would "connect" as "other" host. 2015-03-12 15:07 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > Matt . wrote: >> Hi Guys, >> >> Is Rob able to look at this ? I hope he has some sparetime as I'm >> kinda stuck with this issue. > > Wildcard certs are not supported. > > You can request a SAN with certmonger using -D <FQDN>. That will work > with IPA 4.x for sure, maybe 3.3.5. > > rob > >> >> Thanks! >> >> >> >> 2015-03-08 12:30 GMT+01:00 Matt . <yamakasi....@gmail.com>: >>> I'm reviewing some things. >>> >>> When I'm using a loadbalancer, which I prefer in this setup I need to >>> have the same certificates on both servers. Maybe a wildcard for my >>> domain could do instead of having only both fqdn's of the servers >>> including the loadbalancer's fqdn. >>> >>> But the question remains, how? >>> >>> >>> >>> 2015-03-07 10:37 GMT+01:00 Matt . <yamakasi....@gmail.com>: >>>> Hi, >>>> >>>> I will balance with IP persistance so I think there won't be any >>>> mixing as long as that "used" server is online. >>>> >>>> 2015-03-06 19:16 GMT+01:00 Dmitri Pal <d...@redhat.com>: >>>>> On 03/06/2015 11:05 AM, Matt . wrote: >>>>>> >>>>>> OK, understood. >>>>>> >>>>>> But when a webservice does execute a command (from scripting) to a SVR >>>>>> record and the first is not reacable, would it try to do it again or >>>>>> will handle DNS this in front of it ? >>>>>> >>>>>> I do a kinit against an IPA server using a keytab after I first >>>>>> checked if the user was able to auth himself using his ldap >>>>>> credentials, if so, this kinit exec is fired and I do some CURL stuff >>>>>> to the IPA server. >>>>>> >>>>>> That's why I wanted a loadbalancer, the loadbalancer sees if a server >>>>>> is down and doesn't even try to direct any of the commands to it... >>>>>> I'm not sure if the SRV will handle this well when doing these command >>>>>> from PHP for an example. Building in extra checks in front could be >>>>>> done but it not ideal as a loadbalancer can handle such things much >>>>>> better. >>>>> >>>>> >>>>> OK, this makes things much more clear. Thanks for the explanation. >>>>> Rob. What is our failover logic for API? >>>>> >>>>> For CLI we use a negotiation and then we store a cookie so as long as the >>>>> whole conversation goes to the same server you should be fine. I do not >>>>> think you need to re-encrypt the traffic at load balancer and thus have a >>>>> cert there then if you can enforce the use of the same server in this >>>>> case. >>>>> >>>>> The issue I anticipate is with Kerberos. I think you should not load >>>>> balance >>>>> the Kerberos traffic, only the API commands starting with the negotiation. >>>>> >>>>> Rob does that make sense for you? >>>>> >>>>> >>>>>> >>>>>> Thanks! >>>>>> >>>>>> Cheers, >>>>>> >>>>>> Matt >>>>>> >>>>>> 2015-03-06 16:41 GMT+01:00 Dmitri Pal <d...@redhat.com>: >>>>>>> >>>>>>> On 03/06/2015 10:24 AM, Matt . wrote: >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I'm really bound to a loadbalancer, as it's HA setup of loadbalancers, >>>>>>>> SRV won't fit here sorry to say. >>>>>>>> >>>>>>>> I auth users, so their keytab should be the same between two masters I >>>>>>>> believe ? >>>>>>> >>>>>>> >>>>>>> Each entity in Kerberos exchange has its own identity and key. >>>>>>> If you send a ticket that is destined to service A instead to service B >>>>>>> it >>>>>>> would not work unless they share the same keys and identity. Sharinf >>>>>>> same >>>>>>> keys and identities between the servers just would not work with IPA. >>>>>>> Keep in mind that IPA clients and server need to work and fail over if >>>>>>> you >>>>>>> do not have any load balancers and this is the common case. You are >>>>>>> trying >>>>>>> to add one where it is really not needed creating overhead for yourself. >>>>>>> >>>>>>> >>>>>>> >>>>>>>> In that case... I need to add the altnames to the certs, but I'm not >>>>>>>> 100% there in step 6 >>>>>>>> >>>>>>>> Thanks again! >>>>>>>> >>>>>>>> Cheers, >>>>>>>> >>>>>>>> Matthijs >>>>>>>> >>>>>>>> 2015-03-06 16:16 GMT+01:00 Petr Spacek <pspa...@redhat.com>: >>>>>>>>> >>>>>>>>> On 6.3.2015 15:39, Matt . wrote: >>>>>>>>>> >>>>>>>>>> I have 2 IPA servers where I kinit to and post to the api using >>>>>>>>>> curl/json. >>>>>>>>> >>>>>>>>> If we are talking purely about scripting, you can use IPA Python API. >>>>>>>>> It >>>>>>>>> will >>>>>>>>> handle fail over for you even without any load balancer. That would be >>>>>>>>> easiest >>>>>>>>> way. >>>>>>>>> >>>>>>>>>> As I need redundancy and don't want to have it script managed, but >>>>>>>>>> one >>>>>>>>>> central point where I can tal to I use a loadbalancer. >>>>>>>>> >>>>>>>>> Well, if you can control clients then the easiest and most universal >>>>>>>>> way >>>>>>>>> is to >>>>>>>>> use DNS SRV records and add failover logic to clients. That solution >>>>>>>>> works >>>>>>>>> even when servers are geographically distributed/in different networks >>>>>>>>> and >>>>>>>>> does not have single point of failure (the load balancer). >>>>>>>>> >>>>>>>>>> As I connect to the loadbalancer using DNAT, so the client IP is >>>>>>>>>> known >>>>>>>>>> on the IPA server because this is needed for the http service >>>>>>>>>> principals I need to add the loadbalancer hostname to my IPA server >>>>>>>>>> and make it as an ALT name to it's Certificate. >>>>>>>>>> >>>>>>>>>> As the users are the same on both servers I would asume i can use a >>>>>>>>>> keytab for a user against both servers from my clients. >>>>>>>>> >>>>>>>>> I'm talking about keytabs on the FreeIPA servers - services running on >>>>>>>>> IPA >>>>>>>>> server have their own keytabs too. Every service on every server has >>>>>>>>> own >>>>>>>>> keytab with different key. >>>>>>>>> >>>>>>>>> You need to talk with Simo or some other Kerberos guru about >>>>>>>>> possibility >>>>>>>>> of >>>>>>>>> sharing keytabs between IPA services. >>>>>>>>> >>>>>>>>>> Does this make it more clear ? >>>>>>>>> >>>>>>>>> I'm still not sure if you want to have human users too or just API >>>>>>>>> clients. >>>>>>>>> >>>>>>>>> Petr^2 Spacek >>>>>>>>> >>>>>>>>>> 2015-03-06 15:31 GMT+01:00 Petr Spacek <pspa...@redhat.com>: >>>>>>>>>>> >>>>>>>>>>> On 6.3.2015 15:13, Matt . wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> But as the user is the same, I could use the same keytab for each >>>>>>>>>>>> ipa >>>>>>>>>>>> server ? >>>>>>>>>>>> >>>>>>>>>>>> I need to use the API indeed, so need to issue the http service. >>>>>>>>>>>> >>>>>>>>>>>> Any other options ? >>>>>>>>>>> >>>>>>>>>>> I do not really understand your use case. Could you describe it in >>>>>>>>>>> detail, please? >>>>>>>>>>> >>>>>>>>>>> Petr^2 Spacek >>>>>>>>>>> >>>>>>>>>>>> 2015-03-06 14:24 GMT+01:00 Petr Spacek <pspa...@redhat.com>: >>>>>>>>>>>>> >>>>>>>>>>>>> On 6.3.2015 14:08, Martin Kosek wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> I'm figuring out how to regenerate the webserver certificates so >>>>>>>>>>>>>> I >>>>>>>>>>>>>> can >>>>>>>>>>>>>> use a loadbalancer in front of my ipa servers. >>>>>>>>>>>>> >>>>>>>>>>>>> Are you talking about FreeIPA web interface? It is technically >>>>>>>>>>>>> possible to use >>>>>>>>>>>>> load-balancer but it will be really hacky. You would have to solve >>>>>>>>>>>>> certificates and also distribute shared keytabs and so on. >>>>>>>>>>>>> >>>>>>>>>>>>> I would recommend you to use "something" which issues HTTP >>>>>>>>>>>>> redirect >>>>>>>>>>>>> to ipa >>>>>>>>>>>>> server 1/2/3/4/5 according to current state instead of using >>>>>>>>>>>>> classical load >>>>>>>>>>>>> balancer on the network level. Normal HTTP redirect will not force >>>>>>>>>>>>> you to mess >>>>>>>>>>>>> with certs and keytabs. >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Petr^2 Spacek >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Petr Spacek @ Red Hat >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thank you, >>>>>>> Dmitri Pal >>>>>>> >>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>> Red Hat, Inc. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>>> >>>>> -- >>>>> Thank you, >>>>> Dmitri Pal >>>>> >>>>> Sr. Engineering Manager IdM portfolio >>>>> Red Hat, Inc. >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
