I've used shared keytabs before to create a loadbalanced squid instance. This way you don't even need to use sticky balancing since all nodes that have the key material will be able to decrypt TGSs for the shared service. Be sure to use the -r option with ipa-getkeytab, otherwise the secret will be reset. Alternatively you can just copy the keytab entries.



Verzonden vanaf mijn Samsung-apparaat


-------- Oorspronkelijk bericht --------
Van: William Muriithi via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
Datum: 11-08-17 21:02 (GMT+01:00)
Aan: freeipa-users@lists.fedorahosted.org
Cc: William Muriithi <william.muriithi@gmail.com>
Onderwerp: [Freeipa-users] Can Load balanced HTTP service use kerberos authentication?

Afternoon,

I am attempting to add redundancy to a system that we are currently
using and that use apache as web server.  The apache is using IPA for
user authentication

To do this, I will have to use a load balancer in front of the two
servers and the original setup don't seem to work fine with the load
balancer in front.   For one, the load balancer is not an IPA client,
so can't setup Service Principal Name there.

Is this kind of setup supported currently by IPA?  Have anyone
deployed it and wouldn't mind sharing the experience?  I am just a bit
cautions taking the steps as the system is already in production.  I
have researched this morning and the only link I see is this.

https://www.freeipa.org/page/V4/Keytab_Retrieval

Not sure if it was ever implemented as there is no discussion of it on
the Free-IPA mailing list

IPA server:
ipa-server-4.4.0-14.el7_3.6.x86_64

Apache: (IPA client)
httpd-2.4.6-45.el7

Regards,
William
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org