8:46 p.m.
On 09/22/2014 08:34 PM, Daniel Jung wrote:
LDAP and using explicit failover
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://ldapserver-1
ldap_backup_uri =
ldap://ldapserver-2,ldap://ldapserver-3,ldap://ldapserver-4
ldap_rfc2307_fallback_to_local_users = true
ldap_search_base = dc=Somedomain,dc=com
ldap_user_search_base = ou=People,dc=Somedomain,dc=com
ldap_group_search_base ou=Group,dc=Somedomain,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
cache_credentials = true
entry_cache_timeout = 600
enumerate = False
min_id = 100
ldap_network_timeout = 2
ldap_search_timeout = 5
debug_level = 0x0070
debug_microseconds = true
My test is as follows:
I blocked the clients IP on port 389(using iptable) on ldapserver-1
and ldapserver-2, at which time, client connected to ldapserver-3. I
unblocked clients IP on ldapserver-2 and I see that sssd is connects
to ldapserver-2.
Logic is:
Prefer primary, if not available go to a first available backup server.
If you do:
block clients IP on port 389(using iptable) on ldapserver-1 and
ldapserver-2, at which time, client would connect to ldapserver-3.
Unblock clients IP on ldapserver-1 and ldapserver-2 and I see that sssd
is connects to ldapserver-1
Thanks
On Mon, Sep 22, 2014 at 4:57 PM, Dmitri Pal <dpal(a)redhat.com
<mailto:dpal@redhat.com>> wrote:
On 09/22/2014 07:14 PM, Daniel Jung wrote:
> Hi,
>
> from sssd-ldap,
> "After this timeout SSSD will periodically try to reconnect to
> one of the primary servers. If it succeeds, it will replace the
> current active (backup) server."
>
> I am seeing that reconnect is made to other backup servers and
> not just to primary servers. Quick search on the tickets on
> backup server didnt find anything. Was this already fixed in the
> recent version or is this wanted behaviour?
>
> Running 1.9.2.11 on centos 6.5.
>
> Thanks
>
>
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
<mailto:sssd-users@lists.fedorahosted.org>
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
What back end are you using? IPA, AD, basic LDAP?
Do you configure failover explicitly or use DNS discovery?
A sanitized sssd.conf would help to answer this.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
<mailto:sssd-users@lists.fedorahosted.org>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.