[Freeipa-users] Specifying load balancing to SSSD clients

Simo Sorce ssorce at redhat.com
Tue Aug 21 07:04:09 UTC 2012 

----- Original Message -----
> OK - thanks.
>  
> But is there any way IPA can be tweaked to do this without an
> "external"
> product (albeit a Red Hat one)?  Is it possible for the sssd clients
> to
> round-robin their requests between 2 or more servers?

At the monment only by using _srv_ records you could do some round-robin (assuming DNS supports it).

Please do not use the load balancer as suggest in a previous reply, also using a A record would not work as machines joined to IPa need the 'correct' serve name to be able to perform GSSAPI authentication. A round-robin A record would make that fail. A round-robin CNAME record might work if your DNS server supports something like that.

> Is this an sssd question or generic enough to be in this list?

It's both, SSSD implements the client, but in FreeIPA domains we need a joint solution due to Kerberos requirements for DNS names.

> Would this functionallity be of use to freeIPA in general? (my view = yes)

Yes.

HTH,
Simo.
 
> Cheers
>  
> Duncan Innes | Linux Architect
> 
> 
> 
> ________________________________
> 
> 	From: Mark St. Laurent [mailto:mstlaure at redhat.com]
> 	Sent: 20 August 2012 15:15
> 	To: Innes, Duncan
> 	Cc: freeipa-users at redhat.com
> 	Subject: Re: [Freeipa-users] Specifying load balancing to SSSD
> clients
> 	
> 	
> 	
> http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing/
> 	
> 	
> 	Norman "Mark" St. Laurent
> 	Federal Team: Senior Solutions Architect
> 	Red Hat
> 	8260 Greensboro Drive, Suite 300
> 	McLean VA, 22102
> 	Email:  msl at redhat.com
> 	Cell:  703.772.1434
> 	
> 	Check this Link out!!!  Cool Stuff:  http://mil-oss.org/
> 	
> 	
> ________________________________
> 
> 	From: "Duncan Innes" <Duncan.Innes at virginmoney.com>
> 	To: freeipa-users at redhat.com
> 	Sent: Monday, August 20, 2012 9:48:30 AM
> 	Subject: [Freeipa-users] Specifying load balancing to SSSD
> clients
> 	
> 	Folks,
> 	
> 	Hopefully this isn't a dumb question, but I'm constrained by a
> few
> 	things on my estate and would be looking to deploy something
> like the
> 	following:
> 	
> 	2 Datacentres
> 	2 IPA servers at each datacentre
> 	
> 	ipa1.domain.com \_ datacentre A
> 	ipa2.domain.com /
> 	
> 	ipa3.domain.com \_ datacentre B
> 	ipa4.domain.com /
> 	
> 	The datacentres are linekd, but bandwidth not great.
> 	
> 	Client's in datacentre A should therefore use ipa1.domain.com
> and
> 	ipa2.domain.com as primary servers and only fail over to ipa3 &
> ipa4
> 	when both 1 & 2 are out of action.  Clients would revert to
> using
> 	ipa1/ipa2 whenever either of them came back online.
> 	
> 	I understand this configuration has already been done as part of
> 	https://fedorahosted.org/freeipa/ticket/2282
> 	
> 	What I'm wondering is if I can force my clients to load balance
> 	communication between ipa1 & ipa2.
> 	
> 	I don't have the ability to use the _srv_ records in DNS as
> that's set
> 	up for the AD servers on our network.  I also can't create
> separate DNS
> 	servers for the Linux estate (not that I'd particularly want
> to).
> 	
> 	Is there any current configuration that I can use to force load
> 	balancing between ipa1/ipa2 under ideal conditions.  Falling
> back to
> 	ipa2 when ipa1 is out of action.  Falling back to (load balanced
> 	perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action.
> 	
> 	Hope the description is reasonable.
> 	
> 	Thanks
> 	
> 	Duncan Innes | Linux Architect
> 	
> 
> 
> 
> Northern Rock plc is part of the Virgin Money group of companies.
> 
> This e-mail is intended to be confidential to the recipient. If you
> receive a copy in error, please inform the sender and then delete
> this message.
> 
> Virgin Money Personal Financial Service Limited is authorised and
> regulated by the Financial Services Authority. Company no. 3072766.
> 
> Virgin Money Unit Trust Managers Limited is authorised and regulated
> by the Financial Services Authority. Company no. 3000482.
> 
> Virgin Money Cards Limited. Introducer appointed representative only
> of Virgin Money Personal Financial Service Limited. Company no.
> 4232392.
> 
> Virgin Money Management Services Limited. Company no. 3072772.
> 
> Virgin Money Holdings (UK) Limited. Company no. 3087587.
> 
> Each of the above companies is registered in England and Wales and
> has its registered office at Discovery House, Whiting Road, Norwich
> NR4 6EJ.
> 
> Northern Rock plc. Authorised and regulated by the Financial Services
> Authority. Registered in England and Wales (Company no. 6952311)
> with its registered office at Northern Rock House, Gosforth,
> Newcastle upon Tyne NE3 4PL.
> 
> The above companies use the trading name Virgin Money.
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list