Just to be clear, are you load balancing LDAP servers or you are making LDAP/LDAPS requests to Active Directory servers?

With AD, you should not be load balancing domain controllers due to the stickiness nature. With 2008 there were GPOs introduced to improve client DC fail-over and fall-back for clients. This would be a good addition to SSSD in the future to use the new GPOs: 

http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/ActiveDirectory/HowdoesWindowsServer2008resolvesDomainControllerLoadBalancingproblems.html

Location: Administrative Templates\System\Net Logon\DC Locator DNS Records\ Entry Name: Force Rediscovery Interval.

If it is only LDAP, you may want to provide more details regarding your LB setup, whether there is stickiness, etc. in your config.

On Tue, Jun 23, 2015 at 10:52 AM, Janelle <janellenicole80@gmail.com> wrote:
On 6/23/15 7:33 AM, John Hodrien wrote:
On Tue, 23 Jun 2015, Janelle wrote:

Servers are behind a load-balancer. Address never changes.

But one problem with that is that SSSD will see multiple servers as one
server, and so will mark the server as failed if the load balancer presents it
with a broken back end server.

Works much better in my experience when you tell SSSD about all the servers.

jh
Sadly that is not possible.  If SSSD did load balancing when given multiple servers, then yes, but it does not. When you are running 30,000 servers with 3000 users, you have to load balance or SSSD simply dies and an ssh login takes 5 minutes to complete.  The only way to make SSSD happy and not kill the single server it would point to is to have multiple servers behind a VIP.  Am I completely off base to think this is the way to go? Can SSSD be taught to actually load balance?

~J

_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users