On 10.06.22 15:19, Brendan Kearney via FreeIPA-users wrote:
I think you need to break apart the pieces of IPA you want to load
balance. The LDAP pieces might be handled differently than the Kerberos
Of course, I am aware of that.
I am not using IPA, but I do have load balanced OpenLDAP and
sharing" MIT KDCs. My LDAP instances are behind HAProxy. I needed to
add the olcSuffix directive to the config database in all cases. This
tells the instances to answer queries for the stated DN, dc=bpk2,dc=com
in my case. I am not sure if this can be done in IPA, or what means are
required in order to implement it if it can be done.
Ok. Let's see what the IPA devs will say...
A fancy trick I did with HAProxy is to have multiple VIPs setup,
the same name but a different port, so that I could access the
individual LDAP servers via alternate ports, or access the whole pool of
servers on the standard port 389. By using the same DNS name on the
VIP, and having the Kerberos Principal match the VIP name, I am able to
use Kerberos to AuthN against all the servers. So, one DNS name, with
matching Kerberos Principal, and multiple ports (389 for all, 390 for
server1, 391 for server2,...) gets me load balanced LDAP. Trust me,
having the individual access the servers is a huge troubleshooting and
We're using Citrix ADC. The ports could stay the same in our case.
I setup my KAdmin servers in the same fashion as above, as they are
stateful communications and are TCP protocols, but did not go through
the effort of setting up the alternate ports. It might be something I
do in the near future. It's mostly a copy/paste/reload effort, since I
have the main VIP setup in HAProxy already.
Because HAProxy does not load balance UDP, i chose to use Anycast for
the UDP KRB5KDC protocol, which is stateless. You might choose to
implement nginx, which might cover both the TCP and UDP protocols,
instead of HAProxy and Anycast like I did.
Afaik, we could even do UDP load balancing. But we'll see what the IPA
devs say. Where it makes sense and where not.
I run the quagga routing package on the servers, so they participate
dynamic routing. I chose iBGP over OSPF, but you can use either. I
configured KRB5KDC to listen on a virtual interface stacked on the
loopback, ala lo:6 (yes, there are 5 other Anycast services running...
points if you can guess what they are). On each of the servers, the
lo:6 interface has the IP 192.168.254.6 assigned. With iBGP, and
"maximum-paths" set to 4, i can have up to 4 hosts injecting a route to
192.168.254.6, for active load sharing via Anycast. The IP resolves to
the DNS entries I use in krb5.conf, etc or what is configured in the SRV
Because the servers inject the route, the DNS name stays the same, and
does not need to be updated because a new or different server is
introduced to the mix. The Anycast solution does not have much logic
for fault tolerance. The load sharing, as I call it, is simply a
routing decision based on a hash of the source and destination. It's a
little more intelligent than DNS round-robin, but not quite a load
balancing algorithm like least connections.
I think we could cope all that with Citrix ADC.
I do not have an elegant solution for when a service crashes or
otherwise goes down, and a means to tie the event to the route being
pulled. I am looking at how I can tie things together via systemd and
the BindsTo directive.
This scenario would be handled by the ADC automatically. In my opinion,
this is the major advantage over the DNS round robin setup IPA uses by
Sadly, there are a couple pieces to tie together
and not everything is straight forward. krb5kdc.service would need to be
bound to a systemd-networkd interface, which is monitored by quagga's
built-in "link-detect" directive, but becasue I am stacking things on
the loopback, the "link-detect" mechanism does not work. quagga
considers the interface as a pseudo interface and therefore does not pay
attention to it. I say this because in Production use, outages will
occur when an Anycast'd service goes down and the dynamic routing does
not update with the appropriate route being removed.
hope this helps,
I do highly appreciate your detailed answer! Thanks for taking the time!
As we do have an IPA test setup I could try everything I have in mind.
With input from the IPA devs I could write a blog post about this when I
get everything working.