On 4/4/15 11:44 AM, Dmitri Pal wrote:
On 04/04/2015 12:30 PM, Nadav Mavor wrote:
i use F5 and 3 IPA servers no big issues but some notes :
1) as note you cant use it for kerberos
2) for the DNS we use group and not L/B do to the zone serial (the
zone serial num is not geting sync so if you round robin you will get
deferent zone num evey time and it will mess up zone sync to
external dns servers)
3) for the GUI (443) make sure to use stickiness so the user wont
get bounce after the login
I did not quite get 2) above...
Can you please describe it in more details?
If you know how to make LB work with IPA's DNS and kerberos a nice
HOWTO wiki page would be really welcome!
On Sat, Apr 4, 2015 at 11:47 AM, Simo Sorce <s...@redhat.com
<mailto:s...@redhat.com>> wrote:
We use SASL/GSSAPI/krb5 to authenticate clients to the LDAP server.
If you want to load balance by using a common DNS name in front
of all
servers, you will need to deal with issues with krb5 authentication.
At the very least you should add keys to all servers for a principal
named after the common name. However we do not test this scenario
and I
am not 100% sure it works correctly when you factor in that we use
GSSAPI also for replication.
Simo.
On Sat, 2015-04-04 at 22:16 +0700, Brian Topping wrote:
> I believe LDAP can be load balanced without any problem. It is
a TCP
> based protocol without persistent state between transactions so it
> should be just fine.
>
>
The reason I brought this up -
been doing some testing with different LBs and well, some of them seem
to cause a lot of stuck/CLOSE_WAIT ports, while others don't. My guess
is I am just incorrectly configuring the ones that are causing
problems. But I guess too, I was wondering if there were any known bugs
in some LBs for others, that would cause issues?
~J
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project