Mario Rossi wrote:
Emergency users should be used when LDAP fails and there is no other
way to
get access to the box via ssh.
Yes.
I can recall an incident a few years ago where an
admin deleted the bigip_monitoring user thinking that the account is not used.
You would think that people would be able to tell what the user is being used
for :) In this case the LB took down the ldap farm and emergency user was a
savior until the user had been restored.
;-)
My usual recommendation is *not* to use the load-balancer in sssd configuration.
Tests showed that sssd with its persistent LDAP connection can cope fairly well
with simple DNS round robin.
Ciao, Michael.