In the recent months I have been getting more and more questions about identity management (IdM) in Red Hat Enterprise Linux and best practices around load balancing. This post dives into the details and recommendations related to this subject.
IdM provides several protocols:
Kerberos - this protocol is used for the authentication and ticket acquisitions. There are actually two distinct parts of the protocol. One part is the main authentication and ticket exchange protocol, another is related to the administrative activity, things like password change.
The Kerberos protocol is not good for load balancing using traditional load balancers. The protocol is built in such a way that load balancer will be viewed as a man in the middle. There are couple ways to deal with the situation. The details are well covered in the following blog post. The summary is that it is not recommended to load balance Kerberos communication between IdM clients and IdM servers.
Kerberos’ client library has built-in timeout, retry, and failover capabilities. It also chooses the server either based on the explicit server list configured in krb5.conf on the client or by looking up server SRV record in DNS. If you are concerned about load on your servers use a DNS server that can serve different SRV records based on the load.
IdM DNS server serves Service Location (SRV) records randomly, so load balancing can be achieved in this way and it is usually sufficient. There were recent upstream improvements to respect priority order based on the server weights. So far we have not actually seen a precedent where current implementation was not sufficient so the improvement is more to match standards and general expectations.
LDAP - this protocol is used by the clients to fetch identity information but also sometimes for the authentication, especially if systems that do not have the System Security Services Daemon (SSSD) are integrated with IdM. Also, if IdM acts as an LDAP back end for an application authentication, applications can connect to IdM using an LDAP driver available in the framework the application is build with. So we have really two different cases:
- LDAP connections from SSSD enabled clients
- LDAP connections from legacy systems, UNIXes and applications
SSSD has built in timeout, retry, and failover capabilities similar to the ones described above for Kerberos. Adding a load balancer between SSSD and IdM does not add any value and rather complicates the environment. It should be noted that SSSD uses Kerberos based authentication for such LDAP connection by default. This makes using a load balancer even less attractive.
The LDAP connections from legacy systems, UNIXes, and applications -- usually password authentication -- can be load balanced if there a real need. The need may emerge from cases when there are a lot of chatty applications that use IdM as a back end.
But before introducing load balancer try without it and see if the load is sustained. Introduce a balancer with sticky sessions only if the tests were conducted and default configuration really does not meet the needs.
Administrative protocol of HTTPs - This protocol is used for all administrative activity driven by IdM CLI and UI as well as client registration operations invoked during the installation of an IPA client (ipa-client-install). In other words, if you do not use the CLI interface remotely, but prefer to run IdM CLI only on servers it will be used only during client registration/enrollment.
This protocol uses Kerberos for authentication and keeps the session stored on the client. In the first place the client tries to connect to the server that the client was enrolled with. This server is recorded in the client configuration as the default. If the server does not respond the client will look at the LDAP SRV records and will try those based on the return order which is currently random, until the upstream fixes make their way into a release.
While it is possible to load balance this traffic it is usually enough to require a load balancer.
This table summarizes the recommendations above:
Client |
Used Protocols |
Native Capabilities |
Load Balancing recommendation |
SSSD |
Kerberos, LDAP |
Capable of failover |
Use DNS for load balancing do not use a load balancer. |
UNIX |
LDAP |
Limited failover capabilities |
Load balancing can be introduced if there is a real need. Recommendation is not to do it until proven that it is needed. |
Applications |
LDAP |
Framework dependent |
Load balancing can be introduced if there is a real need. Recommendation is not to do it until proven that it is needed. |
Administrative client (CLI/UI/Client installation) |
HTTPS |
No fail over |
Load balancing with sticky sessions can potentially be used but it will add more complexity and fragility to the environment. If you see challenges in this area please open as support case and we will be glad to assess the situation and consider improvements. |
Summary
Using load balancers with IdM is possible, but not recommended. Make sure you consider the use case thoroughly before implementing load balancing with IdM.
For Red Hat Enterprise Linux customers, if you see a real need for introduction of load balancers in your environment please contact your technical account manager or open a support case at the design and prototyping phase of your project. We can give advice as to whether the configuration will be supported or not.
저자 소개
유사한 검색 결과
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.