On 6/23/15 8:38 AM, Frank Pikelner wrote:
Just to be clear, are you load balancing LDAP servers or you are making LDAP/LDAPS requests to Active Directory servers?

With AD, you should not be load balancing domain controllers due to the stickiness nature. With 2008 there were GPOs introduced to improve client DC fail-over and fall-back for clients. This would be a good addition to SSSD in the future to use the new GPOs: 


Location: Administrative Templates\System\Net Logon\DC Locator DNS Records\ Entry Name: Force Rediscovery Interval.

If it is only LDAP, you may want to provide more details regarding your LB setup, whether there is stickiness, etc. in your config.

On Tue, Jun 23, 2015 at 10:52 AM, Janelle <janellenicole80@gmail.com> wrote:
On 6/23/15 7:33 AM, John Hodrien wrote:
On Tue, 23 Jun 2015, Janelle wrote:

Servers are behind a load-balancer. Address never changes.

But one problem with that is that SSSD will see multiple servers as one
server, and so will mark the server as failed if the load balancer presents it
with a broken back end server.

Works much better in my experience when you tell SSSD about all the servers.

Sadly that is not possible.  If SSSD did load balancing when given multiple servers, then yes, but it does not. When you are running 30,000 servers with 3000 users, you have to load balance or SSSD simply dies and an ssh login takes 5 minutes to complete.  The only way to make SSSD happy and not kill the single server it would point to is to have multiple servers behind a VIP.  Am I completely off base to think this is the way to go? Can SSSD be taught to actually load balance?


Sorry for confusion - yes - LDAP servers. I guess I assume these days when people say LDAP, that is what they mean, however, I see your point, since it is such a blurred line anymore.

So here is the scenario -- 3 LDAP servers behind a VIP. VIP = roundrobin. (Just a simple Citrix netscaler). The situation is that all 3 servers are replaced or updated, and then we have issues.   If just one server is updated, it seems to recover OK.

Is there information that SSSD gets from LDAP lookups to determine what database it is looking at? I mean if a user changes her password in LDAP - how does SSSD know to use the new one or the cached value?