Re: [Freeipa-users] load balancers?

2015-04-04 Thread Janelle 

On 4/4/15 11:44 AM, Dmitri Pal wrote:

On 04/04/2015 12:30 PM, Nadav Mavor wrote:

i use F5 and 3 IPA servers no big issues but some notes :
1) as note you cant use it for  kerberos
2) for the DNS we use group and not L/B do to the zone serial (the 
zone serial num is not geting sync so if you round robin you will get 
deferent zone num evey time and it will mess up  zone sync to 
external dns servers)
3) for the  GUI (443) make sure to use stickiness  so the user wont 
get bounce after the login


I did not quite get 2) above...
Can you please describe it in more details?
If you know how to make LB work with IPA's DNS and kerberos a nice 
HOWTO wiki page would be really welcome!





On Sat, Apr 4, 2015 at 11:47 AM, Simo Sorce > wrote:


We use SASL/GSSAPI/krb5 to authenticate clients to the LDAP server.
If you want to load balance by using a common DNS name in front
of all
servers, you will need to deal with issues with krb5 authentication.

At the very least you should add keys to all servers for a principal
named after the common name. However we do not test this scenario
and I
am not 100% sure it works correctly when you factor in that we use
GSSAPI also for replication.

Simo.

On Sat, 2015-04-04 at 22:16 +0700, Brian Topping wrote:
> I believe LDAP can be load balanced without any problem. It is
a TCP
> based protocol without persistent state between transactions so it
> should be just fine.
>
>


The reason I brought this up -

been doing some testing with different LBs and well, some of them seem 
to cause a lot of stuck/CLOSE_WAIT ports, while others don't. My guess 
is I am just incorrectly configuring the ones that are causing 
problems.  But I guess too, I was wondering if there were any known bugs 
in some LBs for others, that would cause issues?


~J


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] load balancers?

2015-04-04 Thread Dmitri Pal 

On 04/04/2015 12:30 PM, Nadav Mavor wrote:

i use F5 and 3 IPA servers no big issues but some notes :
1) as note you cant use it for  kerberos
2) for the DNS we use group and not L/B do to the zone serial (the 
zone serial num is not geting sync so if you round robin you will get 
deferent zone num evey time and it will mess up  zone sync to external 
dns servers)
3) for the  GUI (443) make sure to use stickiness  so the user wont 
get bounce after the login


I did not quite get 2) above...
Can you please describe it in more details?
If you know how to make LB work with IPA's DNS and kerberos a nice HOWTO 
wiki page would be really welcome!





On Sat, Apr 4, 2015 at 11:47 AM, Simo Sorce > wrote:


We use SASL/GSSAPI/krb5 to authenticate clients to the LDAP server.
If you want to load balance by using a common DNS name in front of all
servers, you will need to deal with issues with krb5 authentication.

At the very least you should add keys to all servers for a principal
named after the common name. However we do not test this scenario
and I
am not 100% sure it works correctly when you factor in that we use
GSSAPI also for replication.

Simo.

On Sat, 2015-04-04 at 22:16 +0700, Brian Topping wrote:
> I believe LDAP can be load balanced without any problem. It is a TCP
> based protocol without persistent state between transactions so it
> should be just fine.
>
> Sent from my iPhone
>
> > On Apr 4, 2015, at 21:55, Janelle mailto:janellenicol...@gmail.com>> wrote:
> >
> > Hello everyone,
> >
> > Probably a quiet weekend for any responses, but I will toss this
> out.  I was wondering if anyone has had any issues with load
balancers
> and IPA? Not with Kerberos, since I know the protocol is designed
> without load balancer support, but in the case of using the LDAP
> portion?  I am curious because the load balancing within sssd is not
> really load balancing, but more fail-over. I am wondering what
kind of
> experience and maybe suggestions for a good LB setup anyone might
> have.
> >
> > Thank You
> > ~J
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>


--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project







--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] load balancers?

2015-04-04 Thread Nadav Mavor 
i use F5 and 3 IPA servers no big issues but some notes :
1) as note you cant use it for  kerberos
2) for the DNS we use group and not L/B do to the zone serial (the zone
serial num is not geting sync so if you round robin you will get deferent
zone num evey time and it will mess up  zone sync to external dns servers)
3) for the  GUI (443) make sure to use stickiness  so the user wont get
bounce after the login

On Sat, Apr 4, 2015 at 11:47 AM, Simo Sorce  wrote:

> We use SASL/GSSAPI/krb5 to authenticate clients to the LDAP server.
> If you want to load balance by using a common DNS name in front of all
> servers, you will need to deal with issues with krb5 authentication.
>
> At the very least you should add keys to all servers for a principal
> named after the common name. However we do not test this scenario and I
> am not 100% sure it works correctly when you factor in that we use
> GSSAPI also for replication.
>
> Simo.
>
> On Sat, 2015-04-04 at 22:16 +0700, Brian Topping wrote:
> > I believe LDAP can be load balanced without any problem. It is a TCP
> > based protocol without persistent state between transactions so it
> > should be just fine.
> >
> > Sent from my iPhone
> >
> > > On Apr 4, 2015, at 21:55, Janelle  wrote:
> > >
> > > Hello everyone,
> > >
> > > Probably a quiet weekend for any responses, but I will toss this
> > out.  I was wondering if anyone has had any issues with load balancers
> > and IPA? Not with Kerberos, since I know the protocol is designed
> > without load balancer support, but in the case of using the LDAP
> > portion?  I am curious because the load balancing within sssd is not
> > really load balancing, but more fail-over. I am wondering what kind of
> > experience and maybe suggestions for a good LB setup anyone might
> > have.
> > >
> > > Thank You
> > > ~J
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> >
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] load balancers?

2015-04-04 Thread Simo Sorce 
We use SASL/GSSAPI/krb5 to authenticate clients to the LDAP server.
If you want to load balance by using a common DNS name in front of all
servers, you will need to deal with issues with krb5 authentication.

At the very least you should add keys to all servers for a principal
named after the common name. However we do not test this scenario and I
am not 100% sure it works correctly when you factor in that we use
GSSAPI also for replication.

Simo.

On Sat, 2015-04-04 at 22:16 +0700, Brian Topping wrote:
> I believe LDAP can be load balanced without any problem. It is a TCP
> based protocol without persistent state between transactions so it
> should be just fine. 
> 
> Sent from my iPhone
> 
> > On Apr 4, 2015, at 21:55, Janelle  wrote:
> > 
> > Hello everyone,
> > 
> > Probably a quiet weekend for any responses, but I will toss this
> out.  I was wondering if anyone has had any issues with load balancers
> and IPA? Not with Kerberos, since I know the protocol is designed
> without load balancer support, but in the case of using the LDAP
> portion?  I am curious because the load balancing within sssd is not
> really load balancing, but more fail-over. I am wondering what kind of
> experience and maybe suggestions for a good LB setup anyone might
> have.
> > 
> > Thank You
> > ~J
> > 
> > -- 
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> 


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] load balancers?

2015-04-04 Thread Brian Topping 
I believe LDAP can be load balanced without any problem. It is a TCP based 
protocol without persistent state between transactions so it should be just 
fine. 

Sent from my iPhone

> On Apr 4, 2015, at 21:55, Janelle  wrote:
> 
> Hello everyone,
> 
> Probably a quiet weekend for any responses, but I will toss this out.  I was 
> wondering if anyone has had any issues with load balancers and IPA? Not with 
> Kerberos, since I know the protocol is designed without load balancer 
> support, but in the case of using the LDAP portion?  I am curious because the 
> load balancing within sssd is not really load balancing, but more fail-over. 
> I am wondering what kind of experience and maybe suggestions for a good LB 
> setup anyone might have.
> 
> Thank You
> ~J
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] load balancers?

2015-04-04 Thread Janelle 

Hello everyone,

Probably a quiet weekend for any responses, but I will toss this out.  I 
was wondering if anyone has had any issues with load balancers and IPA? 
Not with Kerberos, since I know the protocol is designed without load 
balancer support, but in the case of using the LDAP portion?  I am 
curious because the load balancing within sssd is not really load 
balancing, but more fail-over. I am wondering what kind of experience 
and maybe suggestions for a good LB setup anyone might have.


Thank You
~J

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project