Ce contenu n'est pas disponible dans la langue sélectionnée.
11.4. Configuring Clustered Services
The IdM server is not cluster aware. However, it is possible to configure a clustered service to be part of IdM by synchronizing Kerberos keys across all of the participating hosts and configuring services running on the hosts to respond to whatever names the clients use.
- Enroll all of the hosts in the cluster into the IdM domain.
- Create any service principals and generate the required keytabs.
- Collect any keytabs that have been set up for services on the host, including the host keytab at
/etc/krb5.keytab. - Use the
ktutilcommand to produce a single keytab file that contains the contents of all of the keytab files.- For each file, use the
rktcommand to read the keys from that file. - Use the
wktcommand to write all of the keys which have been read to a new keytab file.
- Replace the keytab files on each host with the newly-created combined keytab file.
- At this point, each host in this cluster can now impersonate any other host.
- Some services require additional configuration to accommodate cluster members which do not reset hostnames when taking over a failed service.
- For
sshd, setGSSAPIStrictAcceptorCheck noin/etc/ssh/sshd_config. - For
mod_auth_kerb, setKrbServiceName Anyin/etc/httpd/conf.d/auth_kerb.conf.
Note
For SSL servers, the subject name or a subject alternative name for the server's certificate must appear correct when a client connects to the clustered host. If possible, share the private key among all of the hosts.
If each cluster member contains a subject alternative name which includes the names of all the other cluster members, that satisfies any client connection requirements.
