On pe, 04 marras 2022, Ronald Wimmer via FreeIPA-users wrote:
On 09.06.22 11:56, Ronald Wimmer via FreeIPA-users wrote:
>IPA heavily relies on DNS entries. In my opinion, this design makes
>it more difficult to quickly disable one or more IPA servers -
>especially when using IPA in combination with external DNS (managed
>by a different department).
>
>Would it be possible to put all relevant DNS entries on a
>Loadbalancer VIP and let the LB resolve to all IPA servers?
>
>e.g. instead of having 8 DNS entries for
>_kerberos-master._tcp.linux.oebb.at for every of our 8 IPA servers I
>would have just one _kerberos-master._tcp.linux.oebb.at entry. The
>LB would distribute requests in such a setup.
>
>Is it possible to do that or would it break some IPA functionality?
As the question came up again I would highly appreciate to hear from
the IPA developers.
IMHO using an enterprise grade load balancer would have several
advantages over DNS round robin.
If you want something like that, please invest your own time and share
results of it. It may sound harsh but there are multiple issues with
centralized load balancers when interacting with Kerberos services,
specifically on degrading an overall security of that solution. You'd
need to understand what you are getting into and whether a specific
solution is secure enough for your own situation. There is no general
guideline but some of the problems and hints how to address them are
available in this old but true post of Simo:
https://ssimo.org/blog/id_019.html
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland