from time to time we need to recreate the DB's of the primary ldap server via sync repl. Therefor we are stopping the primary LDAP,

deleting it's db files and starting it again.

The sssd client behaves as expected:

• failover to the backup LDAP server
• check after internal timeout 31 seconds if primary is available again
• switch back to the primary LDAP server

The problem here is - the primary is still not ready with its sync replication such the sss client  connects to the primary,  gets negativ
results about user, group information and returns with failing authentication responses to ssh attempts and other authentication requests.

We are searching for an  option to either let the client further connect to the  ldap backup server even if the primary LDAP server came back 

or to set a static timeout (e.g. 5 minutes) after which the client should reconnect to the primary LDAP server. 

Any idea how to accomplish this?

I already thought about setting a temporary firewall rule on the primary LDAP server.