On Fri, May 19, 2017 at 10:22:35AM -0400, TomK wrote:
> Hey Guy's,
>
> Cluster VIP for LDAP hosts.
>
> Does SSSD support this now? Or should it still be a comma seperated list?
>
> Have a Windows AD DC cluster made up of 8 servers. Would be handy to use
> that (ie
company-dom.com) instead of the individual hosts that make this up.
I would recommend to use DNS SRV lookups instead. With AD this should
return the same list of DCs as the special
company-dom.com. You can
check with
dig SRV
_ldap._tcp.company-dom.com
If you use the SSSD AD provider and either call the domain in sssd.conf
company-dom.com or set ad_domain to
company-dom.com and not set any
ad_server SSSD will automatically use the SRV record.
The issue with just using
company-dom.com as ad_server is
GSSAPI/Kerberos authentication. Here the specific names of the DCs are
needed to be able to request a proper service ticket.
HTH
bye,
Sumit
>
> In case the AD / DC team removes hosts from a cluster, we would not need to
> update anything on our end if we were using just the domain.
>
> --
> Cheers,
> Tom K.
>
-------------------------------------------------------------------------------------
>
> Living on earth is expensive, but it includes a free trip around the sun.
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Kool, thanks Sumit.
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.