Perhaps you can try configuring the same VIP/FQDN as your primary and
backup URI with ldap_uri, ldap_backup_uri in SSSD config.
The man page for SSSD-LDAP (towards bottom) explains how SSSD performs a
fail-over and what timeout exist.
Another idea may be to use one LDAP outside of the Netscaler (directly
accessible) as a backup ldap_backup_uri. The server would only be used when
going through the Netscaler does not work. The backup option would also
eventually have SSSD retry the Netscaler as a primary connection method.
On Tue, Jun 23, 2015 at 11:49 AM, Janelle <janellenicole80(a)gmail.com> wrote:
On 6/23/15 8:38 AM, Frank Pikelner wrote:
Just to be clear, are you load balancing LDAP servers or you are making
LDAP/LDAPS requests to Active Directory servers?
With AD, you should not be load balancing domain controllers due to the
stickiness nature. With 2008 there were GPOs introduced to improve client
DC fail-over and fall-back for clients. This would be a good addition to
SSSD in the future to use the new GPOs:
Location: Administrative Templates\System\Net Logon\DC Locator DNS
Records\ Entry Name: Force Rediscovery Interval.
If it is only LDAP, you may want to provide more details regarding your
LB setup, whether there is stickiness, etc. in your config.
On Tue, Jun 23, 2015 at 10:52 AM, Janelle <janellenicole80(a)gmail.com>
> On 6/23/15 7:33 AM, John Hodrien wrote:
>> On Tue, 23 Jun 2015, Janelle wrote:
>> Servers are behind a load-balancer. Address never changes.
>> But one problem with that is that SSSD will see multiple servers as one
>> server, and so will mark the server as failed if the load balancer
>> presents it
>> with a broken back end server.
>> Works much better in my experience when you tell SSSD about all the
> Sadly that is not possible. If SSSD did load balancing when given
> multiple servers, then yes, but it does not. When you are running 30,000
> servers with 3000 users, you have to load balance or SSSD simply dies and
> an ssh login takes 5 minutes to complete. The only way to make SSSD happy
> and not kill the single server it would point to is to have multiple
> servers behind a VIP. Am I completely off base to think this is the way to
> go? Can SSSD be taught to actually load balance?
Sorry for confusion - yes - LDAP servers. I guess I assume these days when
people say LDAP, that is what they mean, however, I see your point, since
it is such a blurred line anymore.
So here is the scenario -- 3 LDAP servers behind a VIP. VIP = roundrobin.
(Just a simple Citrix netscaler). The situation is that all 3 servers are
replaced or updated, and then we have issues. If just one server is
updated, it seems to recover OK.
Is there information that SSSD gets from LDAP lookups to determine what
database it is looking at? I mean if a user changes her password in LDAP -
how does SSSD know to use the new one or the cached value?
sssd-users mailing list