On 6/23/15 8:38 AM, Frank Pikelner wrote:
Just to be clear, are you load balancing LDAP servers or you are
making LDAP/LDAPS requests to Active Directory servers?
With AD, you should not be load balancing domain controllers due to
the stickiness nature. With 2008 there were GPOs introduced to improve
client DC fail-over and fall-back for clients. This would be a good
addition to SSSD in the future to use the new GPOs:
Location: Administrative Templates\System\Net Logon\DC Locator DNS
Records\ Entry Name: Force Rediscovery Interval.
If it is only LDAP, you may want to provide more details regarding
your LB setup, whether there is stickiness, etc. in your config.
On Tue, Jun 23, 2015 at 10:52 AM, Janelle <janellenicole80(a)gmail.com
On 6/23/15 7:33 AM, John Hodrien wrote:
On Tue, 23 Jun 2015, Janelle wrote:
Servers are behind a load-balancer. Address never changes.
But one problem with that is that SSSD will see multiple
servers as one
server, and so will mark the server as failed if the load
balancer presents it
with a broken back end server.
Works much better in my experience when you tell SSSD about
all the servers.
Sadly that is not possible. If SSSD did load balancing when given
multiple servers, then yes, but it does not. When you are running
30,000 servers with 3000 users, you have to load balance or SSSD
simply dies and an ssh login takes 5 minutes to complete. The
only way to make SSSD happy and not kill the single server it
would point to is to have multiple servers behind a VIP. Am I
completely off base to think this is the way to go? Can SSSD be
taught to actually load balance?
Sorry for confusion - yes - LDAP servers. I guess I assume these days
when people say LDAP, that is what they mean, however, I see your point,
since it is such a blurred line anymore.
So here is the scenario -- 3 LDAP servers behind a VIP. VIP =
roundrobin. (Just a simple Citrix netscaler). The situation is that all
3 servers are replaced or updated, and then we have issues. If just
one server is updated, it seems to recover OK.
Is there information that SSSD gets from LDAP lookups to determine what
database it is looking at? I mean if a user changes her password in LDAP
- how does SSSD know to use the new one or the cached value?