OK, I was probably a bit inaccurate about the algorithm with LDAP lookup.
I had an impression that IPA always picks the first value, but it looks like it does have
some randomization, but somehow the first entries are chosen more often. I had to run
"ipa vault-retrieve" 5-8 times until it finally chose the right IPA server.
While this randomization is better than no randomization at all, still I believe
that's a suboptimal behavior... When a chosen IPA server fails, it must try another
one immediately, instead of failing... I think the role model here is how IPA discovers
servers via SRV records or how krb5 discovers KDCs - there is a way to specify preference,
but at the same time there is automatic resilience...
Then again, maybe I got this all totally wrong...=)
---
Regards,
Dmitry Perets