Just to be clear, are you load balancing LDAP servers or you are making
LDAP/LDAPS requests to Active Directory servers?
With AD, you should not be load balancing domain controllers due to the
stickiness nature. With 2008 there were GPOs introduced to improve client
DC fail-over and fall-back for clients. This would be a good addition to
SSSD in the future to use the new GPOs:
Location: Administrative Templates\System\Net Logon\DC Locator DNS Records\
Entry Name: Force Rediscovery Interval.
If it is only LDAP, you may want to provide more details regarding your LB
setup, whether there is stickiness, etc. in your config.
On Tue, Jun 23, 2015 at 10:52 AM, Janelle <janellenicole80(a)gmail.com> wrote:
On 6/23/15 7:33 AM, John Hodrien wrote:
> On Tue, 23 Jun 2015, Janelle wrote:
> Servers are behind a load-balancer. Address never changes.
> But one problem with that is that SSSD will see multiple servers as one
> server, and so will mark the server as failed if the load balancer
> presents it
> with a broken back end server.
> Works much better in my experience when you tell SSSD about all the
Sadly that is not possible. If SSSD did load balancing when given
multiple servers, then yes, but it does not. When you are running 30,000
servers with 3000 users, you have to load balance or SSSD simply dies and
an ssh login takes 5 minutes to complete. The only way to make SSSD happy
and not kill the single server it would point to is to have multiple
servers behind a VIP. Am I completely off base to think this is the way to
go? Can SSSD be taught to actually load balance?
sssd-users mailing list