OK, quite clear but I think that is not going to help me, if you ask me, I might be wrong here as this is what I get:
# wget https://ldap.mydomain.tld/ipa/json --2015-03-26 01:22:51-- https://ldap.mydomain.tld/ipa/json Resolving ldap.mydomain.tld (ldap.mydomain.tld)... 10.100.0.250 Connecting to ldap.mydomain.tld (ldap.mydomain.tld)|10.100.0.250|:443... connected. ERROR: cannot verify ldap.mydomain.tld's certificate, issued by '/O=MYDOMAIN.TLD/CN=Certificate Authority': Self-signed certificate encountered. ERROR: certificate common name 'ldap-01.mydomain.tld' doesn't match requested host name 'ldap.mydomain.tld'. To connect to ldap.mydomain.tld insecurely, use `--no-check-certificate'. (I used the gui that actually worked quite OK following the docs, tried your version also but got stuck as I did it on the IPA server, need to recheck that) I think this happens because I use the ca.crt from /etc/ipa/ca.crt and the one I generated in the same file. I need to have them both in my curl certificate. I might be wrong here, but this is where I'm at. Thanks again for your patience. Matt 2015-03-20 15:39 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > Matt . wrote: >> The right way to sequest a SAN, this seems to need some extra config file ? > > Like I said before, use certmonger, it makes life easier. > > I'll create a new host balancer.example.com with a HTTP service. I'll > generate a cert with a SAN for idp.example.com in that service. I'm > generating the cert on idp.example.com, hence the service-add-host bit. > > On 4.1 (freeipa-server-4.1.3-2.fc22.x86_64) > > # kinit admin > # ipa host-add balancer.example.com > # ipa service-add HTTP/balancer.example.com --force > # ipa service-add-host --hosts=idp.example.com HTTP/balancer.example.com > # ipa-getcert request -f /etc/pki/tls/certs/balancer.pem -k > /etc/pki/tls/private/balancer.key -N CN=balancer.example.com -K > HTTP/balancer.example.com -D idp.example.com > # getcert list -i <id> until it goes to MONITORING > # openssl x509 -text -in /etc/pki/tls/certs/balancer.pem > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 11 (0xb) > Signature Algorithm: sha256WithRSAEncryption > Issuer: O=EXAMPLE.COM, CN=Certificate Authority > Validity > Not Before: Mar 20 14:29:33 2015 GMT > Not After : Mar 20 14:29:33 2017 GMT > Subject: O=EXAMPLE.COM, CN=balancer.example.com > [SNIP] > X509v3 extensions: > [SNIP] > X509v3 Subject Alternative Name: > DNS:idp.example.com, othername:<unsupported>, > othername:<unsupported> > [SNIP] > > SAN was definitely not supported in 3.0. Not sure about 3.3, should work > in 4.0+. > > rob > >> >> 2015-03-19 15:04 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: >>> Matt . wrote: >>>> Isn't this documented well (yet) ? >>> >>> Is what documented yet? >>> >>> rob >>> >>>> >>>> The RH docs are always very detailed about it, but I'm not sure >>>> here... I see solutions but not 100% from A to Z to make sure we do it >>>> the proper way. >>>> >>>> 2015-03-12 16:59 GMT+01:00 Matt . <yamakasi....@gmail.com>: >>>>> Not worried, I need to try. >>>>> >>>>> I think it's not an issue as we use persistance for the connection. We >>>>> only do some user adding/chaging stuff, nothing really fancy but it >>>>> needs to be decent. As persistence comes in I think we don't have to >>>>> worry about it, we discussed that here earlier as I remember. >>>>> >>>>> Or do I ? >>>>> >>>>> Something else; did you had a nice PTO ? >>>>> >>>>> 2015-03-12 15:54 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: >>>>>> Matt . wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Security wise I can understand that. >>>>>>> >>>>>>> Yes I have read about that... but that would let me use the >>>>>>> loadbalancer to connect ? I was not sure if the SAN would "connect" as >>>>>>> "other" host. >>>>>> >>>>>> Kerberos through a load balancer can be a problem. Is this what you're >>>>>> worried about? >>>>>> >>>>>> rob >>>>>> >>>>>>> >>>>>>> 2015-03-12 15:07 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: >>>>>>>> Matt . wrote: >>>>>>>>> Hi Guys, >>>>>>>>> >>>>>>>>> Is Rob able to look at this ? I hope he has some sparetime as I'm >>>>>>>>> kinda stuck with this issue. >>>>>>>> >>>>>>>> Wildcard certs are not supported. >>>>>>>> >>>>>>>> You can request a SAN with certmonger using -D <FQDN>. That will work >>>>>>>> with IPA 4.x for sure, maybe 3.3.5. >>>>>>>> >>>>>>>> rob >>>>>>>> >>>>>>>>> >>>>>>>>> Thanks! >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> 2015-03-08 12:30 GMT+01:00 Matt . <yamakasi....@gmail.com>: >>>>>>>>>> I'm reviewing some things. >>>>>>>>>> >>>>>>>>>> When I'm using a loadbalancer, which I prefer in this setup I need to >>>>>>>>>> have the same certificates on both servers. Maybe a wildcard for my >>>>>>>>>> domain could do instead of having only both fqdn's of the servers >>>>>>>>>> including the loadbalancer's fqdn. >>>>>>>>>> >>>>>>>>>> But the question remains, how? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2015-03-07 10:37 GMT+01:00 Matt . <yamakasi....@gmail.com>: >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> I will balance with IP persistance so I think there won't be any >>>>>>>>>>> mixing as long as that "used" server is online. >>>>>>>>>>> >>>>>>>>>>> 2015-03-06 19:16 GMT+01:00 Dmitri Pal <d...@redhat.com>: >>>>>>>>>>>> On 03/06/2015 11:05 AM, Matt . wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> OK, understood. >>>>>>>>>>>>> >>>>>>>>>>>>> But when a webservice does execute a command (from scripting) to >>>>>>>>>>>>> a SVR >>>>>>>>>>>>> record and the first is not reacable, would it try to do it again >>>>>>>>>>>>> or >>>>>>>>>>>>> will handle DNS this in front of it ? >>>>>>>>>>>>> >>>>>>>>>>>>> I do a kinit against an IPA server using a keytab after I first >>>>>>>>>>>>> checked if the user was able to auth himself using his ldap >>>>>>>>>>>>> credentials, if so, this kinit exec is fired and I do some CURL >>>>>>>>>>>>> stuff >>>>>>>>>>>>> to the IPA server. >>>>>>>>>>>>> >>>>>>>>>>>>> That's why I wanted a loadbalancer, the loadbalancer sees if a >>>>>>>>>>>>> server >>>>>>>>>>>>> is down and doesn't even try to direct any of the commands to >>>>>>>>>>>>> it... >>>>>>>>>>>>> I'm not sure if the SRV will handle this well when doing these >>>>>>>>>>>>> command >>>>>>>>>>>>> from PHP for an example. Building in extra checks in front could >>>>>>>>>>>>> be >>>>>>>>>>>>> done but it not ideal as a loadbalancer can handle such things >>>>>>>>>>>>> much >>>>>>>>>>>>> better. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> OK, this makes things much more clear. Thanks for the explanation. >>>>>>>>>>>> Rob. What is our failover logic for API? >>>>>>>>>>>> >>>>>>>>>>>> For CLI we use a negotiation and then we store a cookie so as long >>>>>>>>>>>> as the >>>>>>>>>>>> whole conversation goes to the same server you should be fine. I >>>>>>>>>>>> do not >>>>>>>>>>>> think you need to re-encrypt the traffic at load balancer and thus >>>>>>>>>>>> have a >>>>>>>>>>>> cert there then if you can enforce the use of the same server in >>>>>>>>>>>> this case. >>>>>>>>>>>> >>>>>>>>>>>> The issue I anticipate is with Kerberos. I think you should not >>>>>>>>>>>> load balance >>>>>>>>>>>> the Kerberos traffic, only the API commands starting with the >>>>>>>>>>>> negotiation. >>>>>>>>>>>> >>>>>>>>>>>> Rob does that make sense for you? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks! >>>>>>>>>>>>> >>>>>>>>>>>>> Cheers, >>>>>>>>>>>>> >>>>>>>>>>>>> Matt >>>>>>>>>>>>> >>>>>>>>>>>>> 2015-03-06 16:41 GMT+01:00 Dmitri Pal <d...@redhat.com>: >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 03/06/2015 10:24 AM, Matt . wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I'm really bound to a loadbalancer, as it's HA setup of >>>>>>>>>>>>>>> loadbalancers, >>>>>>>>>>>>>>> SRV won't fit here sorry to say. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I auth users, so their keytab should be the same between two >>>>>>>>>>>>>>> masters I >>>>>>>>>>>>>>> believe ? >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Each entity in Kerberos exchange has its own identity and key. >>>>>>>>>>>>>> If you send a ticket that is destined to service A instead to >>>>>>>>>>>>>> service B >>>>>>>>>>>>>> it >>>>>>>>>>>>>> would not work unless they share the same keys and identity. >>>>>>>>>>>>>> Sharinf same >>>>>>>>>>>>>> keys and identities between the servers just would not work with >>>>>>>>>>>>>> IPA. >>>>>>>>>>>>>> Keep in mind that IPA clients and server need to work and fail >>>>>>>>>>>>>> over if >>>>>>>>>>>>>> you >>>>>>>>>>>>>> do not have any load balancers and this is the common case. You >>>>>>>>>>>>>> are >>>>>>>>>>>>>> trying >>>>>>>>>>>>>> to add one where it is really not needed creating overhead for >>>>>>>>>>>>>> yourself. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> In that case... I need to add the altnames to the certs, but >>>>>>>>>>>>>>> I'm not >>>>>>>>>>>>>>> 100% there in step 6 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks again! >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Cheers, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Matthijs >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2015-03-06 16:16 GMT+01:00 Petr Spacek <pspa...@redhat.com>: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 6.3.2015 15:39, Matt . wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I have 2 IPA servers where I kinit to and post to the api >>>>>>>>>>>>>>>>> using >>>>>>>>>>>>>>>>> curl/json. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> If we are talking purely about scripting, you can use IPA >>>>>>>>>>>>>>>> Python API. >>>>>>>>>>>>>>>> It >>>>>>>>>>>>>>>> will >>>>>>>>>>>>>>>> handle fail over for you even without any load balancer. That >>>>>>>>>>>>>>>> would be >>>>>>>>>>>>>>>> easiest >>>>>>>>>>>>>>>> way. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> As I need redundancy and don't want to have it script >>>>>>>>>>>>>>>>> managed, but one >>>>>>>>>>>>>>>>> central point where I can tal to I use a loadbalancer. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Well, if you can control clients then the easiest and most >>>>>>>>>>>>>>>> universal >>>>>>>>>>>>>>>> way >>>>>>>>>>>>>>>> is to >>>>>>>>>>>>>>>> use DNS SRV records and add failover logic to clients. That >>>>>>>>>>>>>>>> solution >>>>>>>>>>>>>>>> works >>>>>>>>>>>>>>>> even when servers are geographically distributed/in different >>>>>>>>>>>>>>>> networks >>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>> does not have single point of failure (the load balancer). >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> As I connect to the loadbalancer using DNAT, so the client IP >>>>>>>>>>>>>>>>> is known >>>>>>>>>>>>>>>>> on the IPA server because this is needed for the http service >>>>>>>>>>>>>>>>> principals I need to add the loadbalancer hostname to my IPA >>>>>>>>>>>>>>>>> server >>>>>>>>>>>>>>>>> and make it as an ALT name to it's Certificate. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> As the users are the same on both servers I would asume i can >>>>>>>>>>>>>>>>> use a >>>>>>>>>>>>>>>>> keytab for a user against both servers from my clients. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I'm talking about keytabs on the FreeIPA servers - services >>>>>>>>>>>>>>>> running on >>>>>>>>>>>>>>>> IPA >>>>>>>>>>>>>>>> server have their own keytabs too. Every service on every >>>>>>>>>>>>>>>> server has >>>>>>>>>>>>>>>> own >>>>>>>>>>>>>>>> keytab with different key. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> You need to talk with Simo or some other Kerberos guru about >>>>>>>>>>>>>>>> possibility >>>>>>>>>>>>>>>> of >>>>>>>>>>>>>>>> sharing keytabs between IPA services. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Does this make it more clear ? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I'm still not sure if you want to have human users too or just >>>>>>>>>>>>>>>> API >>>>>>>>>>>>>>>> clients. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Petr^2 Spacek >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 2015-03-06 15:31 GMT+01:00 Petr Spacek <pspa...@redhat.com>: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 6.3.2015 15:13, Matt . wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> But as the user is the same, I could use the same keytab >>>>>>>>>>>>>>>>>>> for each >>>>>>>>>>>>>>>>>>> ipa >>>>>>>>>>>>>>>>>>> server ? >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I need to use the API indeed, so need to issue the http >>>>>>>>>>>>>>>>>>> service. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Any other options ? >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I do not really understand your use case. Could you describe >>>>>>>>>>>>>>>>>> it in >>>>>>>>>>>>>>>>>> detail, please? >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Petr^2 Spacek >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> 2015-03-06 14:24 GMT+01:00 Petr Spacek <pspa...@redhat.com>: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On 6.3.2015 14:08, Martin Kosek wrote: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> I'm figuring out how to regenerate the webserver >>>>>>>>>>>>>>>>>>>>> certificates so I >>>>>>>>>>>>>>>>>>>>> can >>>>>>>>>>>>>>>>>>>>> use a loadbalancer in front of my ipa servers. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Are you talking about FreeIPA web interface? It is >>>>>>>>>>>>>>>>>>>> technically >>>>>>>>>>>>>>>>>>>> possible to use >>>>>>>>>>>>>>>>>>>> load-balancer but it will be really hacky. You would have >>>>>>>>>>>>>>>>>>>> to solve >>>>>>>>>>>>>>>>>>>> certificates and also distribute shared keytabs and so on. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I would recommend you to use "something" which issues HTTP >>>>>>>>>>>>>>>>>>>> redirect >>>>>>>>>>>>>>>>>>>> to ipa >>>>>>>>>>>>>>>>>>>> server 1/2/3/4/5 according to current state instead of >>>>>>>>>>>>>>>>>>>> using >>>>>>>>>>>>>>>>>>>> classical load >>>>>>>>>>>>>>>>>>>> balancer on the network level. Normal HTTP redirect will >>>>>>>>>>>>>>>>>>>> not force >>>>>>>>>>>>>>>>>>>> you to mess >>>>>>>>>>>>>>>>>>>> with certs and keytabs. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>>> Petr^2 Spacek >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> Petr Spacek @ Red Hat >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Thank you, >>>>>>>>>>>>>> Dmitri Pal >>>>>>>>>>>>>> >>>>>>>>>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>>>>>>>>> Red Hat, Inc. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Thank you, >>>>>>>>>>>> Dmitri Pal >>>>>>>>>>>> >>>>>>>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>>>>>>> Red Hat, Inc. >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>> >>>>>> >>> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project