This section assumes that you are installing the Centrify for Apache package in a cluster that has a reverse proxy with multiple servers on the back end.
In the following example, the reverse proxy is running on a machine named A, Apache servers are running on machines named B and C, and the domain is domain.com. The figure summarizes the steps and where they are carried out.
To configure a clustered environment with a reverse proxy:
- Confirm that you have the DirectControl agent and the Centrify for Apache package installed as required.
- If the servers are joined to the domain controller (run adinfo to find out), run adleave on each Centrify-managed computer to “unjoin.”
On machine A, run the following command to join machine A to the domain with aliases for B and C:
Add another -a (--alias) option for each additional Apache server. (See the Administrator’s Guide for Linux and UNIX for the description of the adjoin command.)
If A has more than one hostname, use the following command to add hostnames:
On machine A, run the following commands to replicate the keytabs from machine A onto machines B and C:
If you have additional servers, run scp to copy cluster.tgz to each one.
On machines B and C (and each additional server), run the following commands to install the keytabs from machine A and to start adclient:
tar xvfz cluster.tgz
Note: If the password for machine A is changed, run Step 5 and Step 6 after every change. This password is changed transparently in a protocol initiated by Active Directory; that is, Active Directory prompts the DirectControl agent for a new account password on an interval defined in the DirectControl agent adclient.krb5.password.change.interval configuration parameter (see the Configuration and Tuning Reference Guide for the description). The DirectControl agent then automatically generates a new password for the computer account and issues the new password to Active Directory. The default interval is 28 days.