On Tue, Jun 23, 2015 at 11:38:17AM -0400, Frank Pikelner wrote:
Just to be clear, are you load balancing LDAP servers or you are
LDAP/LDAPS requests to Active Directory servers?
With AD, you should not be load balancing domain controllers due to the
stickiness nature. With 2008 there were GPOs introduced to improve client
DC fail-over and fall-back for clients. This would be a good addition to
SSSD in the future to use the new GPOs:
FWIW, the stickiness is exactly how SSSD is behaving:
When a client computer finds a preferred domain controller, it sticks to
this domain controller unless that domain controller stops responding or
the client computer is restarted
We've had one user who was unhappy about this default behaviour and they
solved the problem with SRV queries as well -- they set a low TTL on SRV
queries, which forced SSSD to re-discover servers on each login past the
TTL interval. Then SSSD would select a server on the same priority level
based on the weight field.
Please note that a) this works only with reasonably recent SSSD versions
as we haven't been honoring TTL correctly earlier and b) this only works
for login, because for identity lookups (which are mostly just LDAP
searches), we reuse an LDAP connection until we can..