I've used shared keytabs before to create a loadbalanced squid instance. This way you don't even need to use sticky balancing since all nodes that have the key material will be able to decrypt TGSs for the shared service. Be sure to use the -r option with ipa-getkeytab, otherwise the secret will be reset. Alternatively you can just copy the keytab entries.
Verzonden vanaf mijn Samsung-apparaat
-------- Oorspronkelijk bericht -------- Van: William Muriithi via FreeIPA-users freeipa-users@lists.fedorahosted.org Datum: 11-08-17 21:02 (GMT+01:00) Aan: freeipa-users@lists.fedorahosted.org Cc: William Muriithi william.muriithi@gmail.com Onderwerp: [Freeipa-users] Can Load balanced HTTP service use kerberos authentication?
Afternoon,
I am attempting to add redundancy to a system that we are currently using and that use apache as web server. The apache is using IPA for user authentication
To do this, I will have to use a load balancer in front of the two servers and the original setup don't seem to work fine with the load balancer in front. For one, the load balancer is not an IPA client, so can't setup Service Principal Name there.
Is this kind of setup supported currently by IPA? Have anyone deployed it and wouldn't mind sharing the experience? I am just a bit cautions taking the steps as the system is already in production. I have researched this morning and the only link I see is this.
https://www.freeipa.org/page/V4/Keytab_Retrieval
Not sure if it was ever implemented as there is no discussion of it on the Free-IPA mailing list
IPA server: ipa-server-4.4.0-14.el7_3.6.x86_64
Apache: (IPA client) httpd-2.4.6-45.el7
Regards, William _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org