[SSSD-users] LDAP backend failover

Hello, we're about to move 2 DNS LDAP backend (openldap-2.4.40) of sssd-1.12.4 from DNS round robin to a virtual ip on a load balancer. We don't use SRV records. So the plan is to go from : ldap_uri = ldaps://ldap.dom.ain ldap.dom.ain having 2 IN A DNS records to : ldap_uri = ldaps://ldap.dom.ain where ldap.dom.ain resolves in the load balancer hosted vip. My understanding is that, in the target setup, if one of the backend is shutdown or stop responding, sssd will still wait some timeout to reconnect to the vip. So we still would have a time slice where id <user> would return no result (assuming <user> was not in the cache). So the only gain for that matter would be that we would be garantied that on the next backend connection, the backend would answer since the loadbalancer would have pointed the connection to the working one. Is there a way, other than tweaking the timout value, to avoid such no-result hole ? (and without enmumarate = true either) ? Thansk -- Thomas HUMMEL