Re: [Freeipa-users] loadbalancer?
On Fri, 22 Jan 2010 11:35:22 -0800 Doug Chapman wrote: > We're currently running SunDS and using Citrix (Netscaler) load > balancers to keep the load on our client facing LDAP servers balanced > between 2 hosts. > > I'm evaluating FreeIPA and wondered if anyone can share any > experience with using IPA behind a load balancer (or point me at > wikidocs)? > > I know the ldap portion will work, it's the kerberos bits I'm > unfamiliar with. Note, this would only be for client connections, > not replication. Hi Doug, sorry for not replying earlier, I'd missed this message. With krb5 you only have a problem if you wan to use SASL/GSSAPI to authenticate LDAP clients to your servers. That's because clients need to acquire a ticket for the server their are going to connect, but you basically lie to clients by using a load balancer and changing target server without their knowledge. so clients will try to acquire a ticket in the name of the balancer (assuming you created a principal for it) and when they reach the server the server will not be able to use it. If you are not planning to use SASL/GSSAPI to authenticate clients to the LDAP server there should be no other issues. Note that in v2 with sssd as a client we assume we can use SASL/GSSAPI by default, but with current clients/freeipa server we don't. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] DNS replica setup problem
Okay this is a weird one. I made nice typo in my /etc/hosts file. Proper hosts file: [r...@ldap-4 tmp]# cat /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.10.1.134 ldap-4.quadrant.local ldap-4 172.16.2.135ldap-5.quadrant.local ldap-5 172.16.2.136ldap-6.quadrant.local ldap-6 Improper hosts file: [r...@ldap-4 tmp]# cat /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.10.1.134 ldap-4 ldap-4.quadrant.local 172.16.2.135ldap-5 ldap-5.quadrant.local 172.16.2.136ldap-6 ldap-6.quadrant.local I can see that the ipv6 local hosts follows the improper format. Which just seams weird to me. Thanks for the help though, Scott On Mon, Feb 1, 2010 at 11:18 AM, Simo Sorce wrote: > On Mon, 1 Feb 2010 10:57:35 -0800 > Scott Kaminski wrote: > > > What is it that i'm missing here? > > Anything in /etc/hosts ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] DNS replica setup problem
Scott Kaminski wrote: I'm not sure what I'm doing wrong here. I'm trying to setup a replica server and this is the output i'm getting: [r...@ldap-4 tmp]# ipa-replica-install -d replica-info-ldap-4.quadrant.local.gpg Directory Manager (existing master) password: root: INFO root: INFO gpg: WARNING: unsafe permissions on homedir `/tmp/tmpH1jmyzipa/ipa-YyPLbD/.gnupg' gpg: keyring `/tmp/tmpH1jmyzipa/ipa-YyPLbD/.gnupg/secring.gpg' created gpg: keyring `/tmp/tmpH1jmyzipa/ipa-YyPLbD/.gnupg/pubring.gpg' created gpg: CAST5 encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected root: INFO root: INFO root: ERRORThe host name ldap-4.quadrant.local does not match the reverse lookup ldap-4 [r...@ldap-4 tmp]# dig +short -x 10.10.1.134 ldap-4.quadrant.local. [r...@ldap-4 tmp]# dig +short ldap-4.quadrant.local A 10.10.1.134 [r...@ldap-4 tmp]# What is it that i'm missing here? Check /etc/hosts to be sure the FQDN appears first in the list for ldap-4. rob Thanks, ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] DNS replica setup problem
On Mon, 1 Feb 2010 10:57:35 -0800 Scott Kaminski wrote: > What is it that i'm missing here? Anything in /etc/hosts ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] DNS replica setup problem
I'm not sure what I'm doing wrong here. I'm trying to setup a replica server and this is the output i'm getting: [r...@ldap-4 tmp]# ipa-replica-install -d replica-info-ldap-4.quadrant.local.gpg Directory Manager (existing master) password: root: INFO root: INFO gpg: WARNING: unsafe permissions on homedir `/tmp/tmpH1jmyzipa/ipa-YyPLbD/.gnupg' gpg: keyring `/tmp/tmpH1jmyzipa/ipa-YyPLbD/.gnupg/secring.gpg' created gpg: keyring `/tmp/tmpH1jmyzipa/ipa-YyPLbD/.gnupg/pubring.gpg' created gpg: CAST5 encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected root: INFO root: INFO root: ERRORThe host name ldap-4.quadrant.local does not match the reverse lookup ldap-4 [r...@ldap-4 tmp]# dig +short -x 10.10.1.134 ldap-4.quadrant.local. [r...@ldap-4 tmp]# dig +short ldap-4.quadrant.local A 10.10.1.134 [r...@ldap-4 tmp]# What is it that i'm missing here? Thanks, ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users