We use SASL/GSSAPI/krb5 to authenticate clients to the LDAP server. If you want to load balance by using a common DNS name in front of all servers, you will need to deal with issues with krb5 authentication.
At the very least you should add keys to all servers for a principal named after the common name. However we do not test this scenario and I am not 100% sure it works correctly when you factor in that we use GSSAPI also for replication. Simo. On Sat, 2015-04-04 at 22:16 +0700, Brian Topping wrote: > I believe LDAP can be load balanced without any problem. It is a TCP > based protocol without persistent state between transactions so it > should be just fine. > > Sent from my iPhone > > > On Apr 4, 2015, at 21:55, Janelle <janellenicol...@gmail.com> wrote: > > > > Hello everyone, > > > > Probably a quiet weekend for any responses, but I will toss this > out. I was wondering if anyone has had any issues with load balancers > and IPA? Not with Kerberos, since I know the protocol is designed > without load balancer support, but in the case of using the LDAP > portion? I am curious because the load balancing within sssd is not > really load balancing, but more fail-over. I am wondering what kind of > experience and maybe suggestions for a good LB setup anyone might > have. > > > > Thank You > > ~J > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
