[Freeipa-users] Specifying load balancing to SSSD clients

Simo Sorce ssorce at redhat.com
Tue Aug 21 07:39:34 UTC 2012 

----- Original Message -----
> Thanks Simo,
> 
> I was hoping for an alternative to the DNS _srv_ records due to the
> Windows guys having exclusive use of those records (for now).
> 
> Is it feasible for IPA communications to be "force" round robined
> between two or more servers that are replicas of each other?  If it's
> a
> possibility, I will raise a ticket.

The easiest solution for now is to configure your clients by using the primary and backup options in SSSD, and just configure clients to have different orders, so that they will attach to separate servers by default.

Ie client 1 has primary serves of "ipa1, ipa2", while client 2 has "ipa2, ipa1", and so on.

Without control of name resolution on the server side at the moment we do not have other ways to do load balancing.

Simo.


> Thanks
> 
> Duncan Innes | Linux Architect
> 
>  
> 
> > -----Original Message-----
> > From: Simo Sorce [mailto:ssorce at redhat.com]
> > Sent: 21 August 2012 08:04
> > To: Innes, Duncan
> > Cc: freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] Specifying load balancing to SSSD
> > clients
> > 
> > ----- Original Message -----
> > > OK - thanks.
> > >  
> > > But is there any way IPA can be tweaked to do this without an
> > > "external"
> > > product (albeit a Red Hat one)?  Is it possible for the
> > sssd clients
> > > to round-robin their requests between 2 or more servers?
> > 
> > At the monment only by using _srv_ records you could do some
> > round-robin (assuming DNS supports it).
> > 
> > Please do not use the load balancer as suggest in a previous
> > reply, also using a A record would not work as machines
> > joined to IPa need the 'correct' serve name to be able to
> > perform GSSAPI authentication. A round-robin A record would
> > make that fail. A round-robin CNAME record might work if your
> > DNS server supports something like that.
> > 
> > > Is this an sssd question or generic enough to be in this list?
> > 
> > It's both, SSSD implements the client, but in FreeIPA domains
> > we need a joint solution due to Kerberos requirements for DNS
> > names.
> > 
> > > Would this functionallity be of use to freeIPA in general?
> > (my view =
> > > yes)
> > 
> > Yes.
> > 
> > HTH,
> > Simo.
> >  
> > > Cheers
> > >  
> > > Duncan Innes | Linux Architect
> > > 
> > > 
> > > 
> > > ________________________________
> > > 
> > > 	From: Mark St. Laurent [mailto:mstlaure at redhat.com]
> > > 	Sent: 20 August 2012 15:15
> > > 	To: Innes, Duncan
> > > 	Cc: freeipa-users at redhat.com
> > > 	Subject: Re: [Freeipa-users] Specifying load balancing to SSSD
> > > clients
> > > 	
> > > 	
> > > 	
> > > 
> > http://www.redhat.com/products/enterprise-linux-add-ons/load-balancing
> > > /
> > > 	
> > > 	
> > > 	Norman "Mark" St. Laurent
> > > 	Federal Team: Senior Solutions Architect
> > > 	Red Hat
> > > 	8260 Greensboro Drive, Suite 300
> > > 	McLean VA, 22102
> > > 	Email:  msl at redhat.com
> > > 	Cell:  703.772.1434
> > > 	
> > > 	Check this Link out!!!  Cool Stuff:  http://mil-oss.org/
> > > 	
> > > 	
> > > ________________________________
> > > 
> > > 	From: "Duncan Innes" <Duncan.Innes at virginmoney.com>
> > > 	To: freeipa-users at redhat.com
> > > 	Sent: Monday, August 20, 2012 9:48:30 AM
> > > 	Subject: [Freeipa-users] Specifying load balancing to
> > SSSD clients
> > > 	
> > > 	Folks,
> > > 	
> > > 	Hopefully this isn't a dumb question, but I'm
> > constrained by a few
> > > 	things on my estate and would be looking to deploy
> > something like the
> > > 	following:
> > > 	
> > > 	2 Datacentres
> > > 	2 IPA servers at each datacentre
> > > 	
> > > 	ipa1.domain.com \_ datacentre A
> > > 	ipa2.domain.com /
> > > 	
> > > 	ipa3.domain.com \_ datacentre B
> > > 	ipa4.domain.com /
> > > 	
> > > 	The datacentres are linekd, but bandwidth not great.
> > > 	
> > > 	Client's in datacentre A should therefore use
> > ipa1.domain.com and
> > > 	ipa2.domain.com as primary servers and only fail over to ipa3 &
> > > ipa4
> > > 	when both 1 & 2 are out of action.  Clients would
> > revert to using
> > > 	ipa1/ipa2 whenever either of them came back online.
> > > 	
> > > 	I understand this configuration has already been done as part of
> > > 	https://fedorahosted.org/freeipa/ticket/2282
> > > 	
> > > 	What I'm wondering is if I can force my clients to load balance
> > > 	communication between ipa1 & ipa2.
> > > 	
> > > 	I don't have the ability to use the _srv_ records in
> > DNS as that's
> > > set
> > > 	up for the AD servers on our network.  I also can't
> > create separate
> > > DNS
> > > 	servers for the Linux estate (not that I'd particularly
> > want to).
> > > 	
> > > 	Is there any current configuration that I can use to force load
> > > 	balancing between ipa1/ipa2 under ideal conditions.
> > Falling back to
> > > 	ipa2 when ipa1 is out of action.  Falling back to (load balanced
> > > 	perhaps?) ipa3/ipa4 when ipa1 & ipa2 are both out of action.
> > > 	
> > > 	Hope the description is reasonable.
> > > 	
> > > 	Thanks
> > > 	
> > > 	Duncan Innes | Linux Architect
> > > 	
> > > 
> > > 
> > > 
> > > Northern Rock plc is part of the Virgin Money group of companies.
> > > 
> > > This e-mail is intended to be confidential to the recipient. If
> > > you
> > > receive a copy in error, please inform the sender and then
> > delete this
> > > message.
> > > 
> > > Virgin Money Personal Financial Service Limited is authorised and
> > > regulated by the Financial Services Authority. Company no.
> > > 3072766.
> > > 
> > > Virgin Money Unit Trust Managers Limited is authorised and
> > regulated
> > > by the Financial Services Authority. Company no. 3000482.
> > > 
> > > Virgin Money Cards Limited. Introducer appointed
> > representative only
> > > of Virgin Money Personal Financial Service Limited. Company no.
> > > 4232392.
> > > 
> > > Virgin Money Management Services Limited. Company no. 3072772.
> > > 
> > > Virgin Money Holdings (UK) Limited. Company no. 3087587.
> > > 
> > > Each of the above companies is registered in England and
> > Wales and has
> > > its registered office at Discovery House, Whiting Road, Norwich
> > > NR4 6EJ.
> > > 
> > > Northern Rock plc. Authorised and regulated by the
> > Financial Services
> > > Authority. Registered in England and Wales (Company no.
> > 6952311) with
> > > its registered office at Northern Rock House, Gosforth,
> > Newcastle upon
> > > Tyne NE3 4PL.
> > > 
> > > The above companies use the trading name Virgin Money.
> > > 
> > > 
> > > _______________________________________________
> > > Freeipa-users mailing list
> > > Freeipa-users at redhat.com
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > 
> > This message has been checked for viruses and spam by the
> > Virgin Money email scanning system powered by Messagelabs.
> > 
> 
> 
> Northern Rock plc is part of the Virgin Money group of companies.
> 
> This e-mail is intended to be confidential to the recipient. If you
> receive a copy in error, please inform the sender and then delete
> this message.
> 
> Virgin Money Personal Financial Service Limited is authorised and
> regulated by the Financial Services Authority. Company no. 3072766.
> 
> Virgin Money Unit Trust Managers Limited is authorised and regulated
> by the Financial Services Authority. Company no. 3000482.
> 
> Virgin Money Cards Limited. Introducer appointed representative only
> of Virgin Money Personal Financial Service Limited. Company no.
> 4232392.
> 
> Virgin Money Management Services Limited. Company no. 3072772.
> 
> Virgin Money Holdings (UK) Limited. Company no. 3087587.
> 
> Each of the above companies is registered in England and Wales and
> has its registered office at Discovery House, Whiting Road, Norwich
> NR4 6EJ.
> 
> Northern Rock plc. Authorised and regulated by the Financial Services
> Authority. Registered in England and Wales (Company no. 6952311)
> with its registered office at Northern Rock House, Gosforth,
> Newcastle upon Tyne NE3 4PL.
> 
> The above companies use the trading name Virgin Money.
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list