On Tue, 2018-03-20 at 09:46 +0000, Alex M wrote: > Hello! > I'm trying setup balancing freeipa with haproxy, using this article: > http://directory.fedoraproject.org/docs/389ds/howto/howto-loadbalance > -gssapi.html, > > On this step: > ------- > On the ldap1 server you should extract this keytab: > > kinit <account with admins privilige> > ipa-getkeytab -s dc.ipa.example.com -p > ldap/haproxydemo.ipa.example.com -k /etc/dirsrv/slapd- > localhost/ldap.keytab --retrieve > > Important is the –retrieve flag to prevent the keytab contents > changing. > ------ > First, a got "failed to parse result insufficient access rights" > error > > After: > ipa service-allow-retrieve-keytab ldap/haproxydemo.ipa.example.com > --groups=admins > > i get the following error: > Failed to parse result: krbPrincipalKey not found > > So, i run it without -r key. It success. > Then, after i'm adding KRB5_KTNAME=/etc/dirsrv/slapd- > localhost/ldap.keytab to /etc/sysconfig/dirsrv-<instance> > After this freeipa fails to start > In my setup - haproxydemo.ipa.example.com - is a haproxy (with ipa > client, A/PTR records) > > ldap1.ipa.example.com (ldap2, ldap3) is a working freeipa replicas > > Any advices, what am i doing wrong? I'm not 100% sure about freeipa. They may have their own advice about load balancing their installs. I would suspect that you don't have a service account and principal for ldap/haproxydemo.ipa.example.com which is why it can't be found. Hope that helps, _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
