Perhaps it should be mentioned in the FAILOVER section of the sssd-ldap man
page as well?
Also, just out of curiosity, while primary servers does NOT show the same
behaviour of giving higher preference to the server listed first, why do
this for the backup server list?
On Tue, Sep 23, 2014 at 12:05 AM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
This should be indicated in the SSSD debug logs, is it not?
On 23 Sep 2014, at 07:02, Daniel Jung <mimianddaniel(a)gmail.com> wrote:
> it would be greatly helpful to indicate that the first available backup
server is chosen even when active server is another backup server.
>
> On Sep 22, 2014 6:46 PM, "Dmitri Pal" <dpal(a)redhat.com> wrote:
> On 09/22/2014 08:34 PM, Daniel Jung wrote:
>> LDAP and using explicit failover
>>
>> [domain/LDAP]
>> id_provider = ldap
>> auth_provider = ldap
>> ldap_schema = rfc2307
>> ldap_uri = ldap://ldapserver-1
>> ldap_backup_uri =
ldap://ldapserver-2,ldap://ldapserver-3,ldap://ldapserver-4
>> ldap_rfc2307_fallback_to_local_users = true
>> ldap_search_base = dc=Somedomain,dc=com
>> ldap_user_search_base = ou=People,dc=Somedomain,dc=com
>> ldap_group_search_base ou=Group,dc=Somedomain,dc=com
>> ldap_tls_reqcert = demand
>> ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
>> cache_credentials = true
>> entry_cache_timeout = 600
>> enumerate = False
>> min_id = 100
>> ldap_network_timeout = 2
>> ldap_search_timeout = 5
>> debug_level = 0x0070
>> debug_microseconds = true
>>
>> My test is as follows:
>> I blocked the clients IP on port 389(using iptable) on ldapserver-1 and
ldapserver-2, at which time, client connected to ldapserver-3. I unblocked
clients IP on ldapserver-2 and I see that sssd is connects to ldapserver-2.
>
> Logic is:
> Prefer primary, if not available go to a first available backup server.
>
> If you do:
> block clients IP on port 389(using iptable) on ldapserver-1 and
ldapserver-2, at which time, client would connect to ldapserver-3. Unblock
clients IP on ldapserver-1 and ldapserver-2 and I see that sssd is
connects to ldapserver-1
>>
>>
>>
>> Thanks
>>
>>
>> On Mon, Sep 22, 2014 at 4:57 PM, Dmitri Pal <dpal(a)redhat.com> wrote:
>> On 09/22/2014 07:14 PM, Daniel Jung wrote:
>>> Hi,
>>>
>>> from sssd-ldap,
>>> "After this timeout SSSD will periodically try to reconnect to one of
the primary servers. If it succeeds, it will replace the current active
(backup) server."
>>>
>>> I am seeing that reconnect is made to other backup servers and not
just to primary servers. Quick search on the tickets on backup server didnt
find anything. Was this already fixed in the recent version or is this
wanted behaviour?
>>>
>>> Running 1.9.2.11 on centos 6.5.
>>>
>>> Thanks
>>>
>>>
>>> _______________________________________________
>>> sssd-users mailing list
>>>
>>> sssd-users(a)lists.fedorahosted.org
>>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>>
>> What back end are you using? IPA, AD, basic LDAP?
>> Do you configure failover explicitly or use DNS discovery?
>>
>> A sanitized sssd.conf would help to answer this.
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> _______________________________________________
>> sssd-users mailing list
>> sssd-users(a)lists.fedorahosted.org
>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>>
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users