[Freeipa-users] Forcing IPA clients to prioritise different IPA Servers

Stephen Gallagher sgallagh at redhat.com
Wed Jan 18 03:19:54 UTC 2012 

On Wed, 2012-01-18 at 03:02 +0000, Charlie Derwent wrote:
> Hi
>  
> I've got 5 different IPA servers at 5 differents labs around the
> country that are all replicas of one another. In order to keep the the
> cross-site network traffic to a minimum I want the IPA clients at Site
> "A" to only communicate to IPA Server "A", "B" to "B", "C" to "C" etc.
> except in the case of the failure of one of the servers.
>  
> I originally assumed that making the IPA client to connect to a
> specific IPA server with "ipa-client-install --server=IPA_server_fqdn"
> would suffice but I very quickly found out this wasn't the case with
> the client going to multiple servers just to complete the installation
> process. Then I found out about modifying the DNS SRV records priority
> and weight however, please correct me if I'm wrong, these wouldn't
> these changes replicate and be enacted gloablly. (i.e. all clients at
> any site would prioritise IPA "A" over IPA "B").
>  
> Is there any way to get the functionality I desire?
>  

We're looking at ways to implement a concept of client location into the
connection logic. At the moment, however, the only way to do this is
manually on the client.

You can make the following change in the clients' /etc/sssd/sssd.conf
files:

In the [domain/your.domain.com] section there is an option "ipa_server".

By default, this is configured to be:
ipa_server = __srv__, x.x.x.x

(Where x.x.x.x is the server you were originally talking to when you ran
ipa-client-install, as a backup in case DNS is not working).

You can manually change this to be:
ipa_server = nearest.server.com, further.server.com,
only-in-emergencies.server.com, ...

With this manual setup, SSSD (the daemon that manages the client-side
portion) will always attempt to connect to nearest.server.com unless it
is unavailable, after which time it will fail over to the next in the
list, and so on.*


* If all of them are unavailable, SSSD switches to offline operation,
where it will try to reconnect every couple of minutes, but will serve
requests from its cache in the meantime. When it reconnects from an
offline state, it will start retrying from the first server in the list
(aka the nearest one).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120117/b026257c/attachment.sig>

More information about the Freeipa-users mailing list