Jakub Hrozek wrote:
We've had one user who was unhappy about this default behaviour
solved the problem with SRV queries as well -- they set a low TTL on SRV
queries, which forced SSSD to re-discover servers on each login past the
TTL interval. Then SSSD would select a server on the same priority level
based on the weight field.
I repeat my security concerns: Without effective DNSSEC validation there's no
cryptographically signed binding between a name and a server cert then.
Why not just use DNS round-robin with A RRs? Then TLS hostname check works as
expected (provided you have proper subjectAltName values in the server certs).
It seems the load-balancing works reasonably well with sssd 1.9.x in a
installation with 8000+ systems and many OpenLDAP replicas. I could see in
the monitoring that replicas being down for a while get new connections after