Hi all, I need advice or help with freeIPA implementation behind F5 bigip
loadbalancer. My goal is to have all freeIPA services (including json/xml API)
behind loadbalancer for freeIPA clients.
>> Because RHEL support says me IPA behind loadbalancer is not supported I was
>> coming out of these articles (I recommend you read and I thank the people
>> who wrote them):
https://www.redhat.com/archives/freeipa-users/2015-March/msg00965.html
http://directory.fedoraproject.org/docs/389ds/howto/howto-loadbalance-gssapi.html
https://ssimo.org/blog/id_019.html
https://access.redhat.com/solutions/547723
http://firstyear.id.au/blog/html/2015/12/11/Load_balanced_389_instance_with_freeipa_kerberos_domain..html
http://www.freeipa.org/page/V4/Keytab_Retrieval#Use_Case:_A_load_balancing_cluster_of_HTTP_server_that_allow_GSSAPI.2FKrb5_negotiation_.28TBD.29
https://www.freeipa.org/page/V4/Service_Constraint_Delegation
http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html
https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
https://www.adelton.com/freeipa/freeipa-behind-ssl-proxy
>> Now I have one pool with one freeIPA node (for easy debugging):
hostname: ipa-01.internal.services
>> And VIP hostname for clients:
hostname: hub.internal.services
hub.internal.services
+--+
| |
| |
++ | Loadbalancer | ipa-01.internal.services
|| TLS | | TLS +--+
|Client +->+ +->+ |
|| | | | freeIPA node |
++ | | | |
| | +--+
+--+
>> After ipa-server-install first, I created a fake host that I assign
>> services. This is fake host for the load balancer:
ipa host-add hub.internal.services --force --random
ipa host-allow-retrieve-keytab hub.internal.services --users=admin
ipa-getkeytab -s ipa-01.internal.services -p host/hub.internal.services -k
/etc/krb5.keytab \
-e
aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,des3-cbc-sha1,arcfour-hmac,camellia128-cts-cmac,camellia256-cts-cmac
>> Second I created LDAP service - because I need keytab for
>> ldap/hub.internal.services (after retrieved merged into
>> /etc/dirsrv/ds.keytab):
ipa service-add --force ldap/hub.internal.services
ipa service-add-host ldap/hub.internal.services --hosts=ipa-01.internal.services
ipa service-allow-retrieve-keytab ldap/hub.internal.services --users=admin
ipa-getkeytab -s ipa-01.internal.services -p ldap/hub.internal.services -k
/etc/dirsrv/ds.keytab \
-e
aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,des3-cbc-sha1,arcfour-hmac,camellia128-cts-cmac,camellia256-cts-cmac
chown dirsrv:dirsrv /etc/dirsrv/ds.keytab
>> Next I created HTTP service - I need keytab for HTTP/hub.internal.services
>> (after retrieved merged into /etc/httpd/conf/ipa.keytab):
ipa service-add --force HTTP/hub.internal.services
ipa service-add-host HTTP/hub.internal.services
--hosts={ipa-01.internal.services,ipa-02.internal.services,ipa-03.internal.services}
ipa service-allow-retrieve-keytab HTTP/hub.internal.services --users=admin
ipa-getkeytab -s ipa-01.internal.services -p HTTP/hub.internal.services -k
/etc/httpd/conf/ipa.keytab \
-e
aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,des3-cbc-sha1,arcfour-hmac,camellia128-cts-cmac,camellia256-cts-cmac
chown apache:apache /etc/httpd/conf/ipa.keytab
>> Check keytabs:
klist -Kket /etc/krb5.keytab
klist -Kket /etc/dirsrv/ds.keytab
klist -Kket /etc/httpd/conf/ipa.keytab
All keytabs looks like this:
Keytab name: FILE:/etc/dirsrv/ds.keytab
KVNO Timestamp Principal
-- ---
3 13.5.2016 22:05:14 ldap/ipa-01.internal.services@INTERNAL.SERVICES
(aes256-cts-hmac-sha1-96)
(0x0b8140ce7a7a521cbacecda8902e7c7a6b61fd21758997fb2f2721d9f2d3c8e5)
3 13.5.2016 22:05:14 ldap/ipa-01.internal.services@INTERNAL.SERVICES
(aes128-cts-hmac-sha1-96) (0x4247b97e7b2b62a49094105b86740537)
3 13.5.2016 22:05:14 ldap/ipa-01.internal.services@INTERNAL.SERVICES
(des3-cbc-sha1) (0x67851f1a16f8df45b30b1a89fe677ad03eaeae6ba2940e4a)
3 13.5.2016 22:05:14 ldap/ipa-01.internal.services@INTERNAL.SERVICES
(arcfour-hmac) (0xed6d8caba385fdd8b5775e2f17303fb6)
1 13.5.2016 23:00:43 ldap/hub.internal.services@INTERNAL.SERVICES
(aes256-cts-hmac-sha1-96)
(0x439341b1848dc91f02f6b38f2e04446e9f7f8547d8251a708dce99d1526e961a)
1 13.5.2016 23:00:43 ldap/hub.internal.services@INTERNAL.SERVICES
(aes128-cts-hmac-sha1-96) (0x11e1c820db6b49bb9290c0c9e2888914)
1 13.5.2016 23:00:43 ldap/hub.internal.services@INTERNAL.SERVICES
(des3-cbc-sha1) (0xbad3cb89fbf132abbcad29bcfd79fb4532cedfe90bf1078f)
1 13.5.2016 23:00:43 ldap/h