#4557 Load balancer for IPA services
Opened 4 years ago by edewata. Modified 2 years ago

Currently IPA uses a cascading mechanism to establish the initial connection to CA/KRA service, but it doesn't have a load balancing capability to distribute subsequent requests, or failover capability when the service becomes unavailable, or auto-update capability when a replica is added/removed.

The cascading mechanism works by searching the LDAP database to find the most preferable server providing the CA/KRA service:

  • First, it will check if the server specified in the ca_host/kra_host property provides a CA/KRA service.
  • Otherwise, it will check if the local machine provides the CA/KRA service.
  • Otherwise, it will search for any server providing the CA/KRA service.
  • If there is nothing found, it will return the ca_host/kra_host anyway, and possibly let the request fail.

Note that this mechanism doesn't check if the server referenced in the LDAP database is actually in service. It will also cache the result so if the service becomes unavailable, subsequent requests may still be redirected to the same server indefinitely (depending on cache policy).

A possible solution is to provide some load balancing options without the cascading mechanism:

  • By default there will be no load balancer. The ca_host/kra_host will point to the local HTTPD service, and the HTTPD proxy will forward the requests to the local CA/KRA service.
  • If a replica is installed without a local CA/KRA service, an internal load balancer can be enabled in HTTPD (http://stackoverflow.com/questions/9649258/tomcat-load-balancer-solutions) to redirect requests to the appropriate servers. In this case the ca_host/kra_host will still point to localhost, but the admin will need to maintain the load balancer configuration manually.
  • If necessary, an external load balancer can also be used by pointing the ca_host/kra_host to the load-balanced IP address. The admin will also need to maintain the load balancer configuration manually.

This solution will provide load-balancing and fail-over mechanism, but the admin will need to maintain the load balancer configuration manually when a replica is added/removed.

See also ticket #1252.


This ticket has be generalized for all IPA services. Different services might require different load balancing mechanisms. See also:

Unless this is a blocker for KRA, moving to 4.3. If it is, please shout loudly so that we can reprioritize.

Metadata Update from @edewata:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

2 years ago

Login to comment on this ticket.

Metadata