I have following design problem regarding the primary LDAP server reconnect timeout value:
from time to time we need to recreate the DB's of the primary ldap server via sync repl. Therefor we are stopping the primary LDAP,
deleting it's db files and starting it again.
The sssd client behaves as expected:
- failover to the backup LDAP server
- check after internal timeout 31 seconds if primary is available again
- switch back to the primary LDAP server
The problem here is - the primary is still not ready with its sync replication such the sss client connects to the primary, gets negativ
results about user, group information and returns with failing authentication responses to ssh attempts and other authentication requests.
We are searching for an option to either let the client further connect to the ldap backup server even if the primary LDAP server came back
or to set a static timeout (e.g. 5 minutes) after which the client should reconnect to the primary LDAP server.
Any idea how to accomplish this?
I already thought about setting a temporary firewall rule on the primary LDAP server.
But I would rather like to have an option on the client sides to bypass this problem.