Re: [Freeipa-users] Forcing IPA clients to prioritise different IPA Servers
From: Charlie Derwent <shelltoesuperstar gmail com>
To: freeipa-users redhat com
Subject: Re: [Freeipa-users] Forcing IPA clients to prioritise different IPA Servers
Date: Thu, 19 Jan 2012 13:18:56 +0000
Thanks for the advice Stephen (and the quick response), obviously that won't help with load balanced comms during the installation process but it should keep it to a minimum afterwards.
Wouldn't a quick solution be the addition of a "--primary" flag to the ipa-client-install script? It could behave in the same way as the --server flag and be a substitute for it but it just forces all enrolment comms to be kept to the named server and reorders the ipa_server entry in sssd.conf from "ipa_server = __srv__, x.x.x.x" to "ipa_server = x.x.x.x, __srv__"
On Wed, 2012-01-18 at 03:02 +0000, Charlie Derwent wrote:
I've got 5 different IPA servers at 5 differents labs around the
country that are all replicas of one another. In order to keep the the
cross-site network traffic to a minimum I want the IPA clients at Site
"A" to only communicate to IPA Server "A", "B" to "B", "C" to "C" etc.
except in the case of the failure of one of the servers.
I originally assumed that making the IPA client to connect to a
specific IPA server with "ipa-client-install --server=IPA_server_fqdn"
would suffice but I very quickly found out this wasn't the case with
the client going to multiple servers just to complete the installation
process. Then I found out about modifying the DNS SRV records priority
and weight however, please correct me if I'm wrong, these wouldn't
these changes replicate and be enacted gloablly. (i.e. all clients at
any site would prioritise IPA "A" over IPA "B").
Is there any way to get the functionality I desire?
We're looking at ways to implement a concept of client location into the
connection logic. At the moment, however, the only way to do this is
manually on the client.
You can make the following change in the clients' /etc/sssd/sssd.conf
In the [domain/your.domain.com] section there is an option "ipa_server".
By default, this is configured to be:
ipa_server = __srv__, x.x.x.x
(Where x.x.x.x is the server you were originally talking to when you ran
ipa-client-install, as a backup in case DNS is not working).
You can manually change this to be:
ipa_server = nearest.server.com, further.server.com,
With this manual setup, SSSD (the daemon that manages the client-side
portion) will always attempt to connect to nearest.server.com unless it
is unavailable, after which time it will fail over to the next in the
list, and so on.*
* If all of them are unavailable, SSSD switches to offline operation,
where it will try to reconnect every couple of minutes, but will serve
requests from its cache in the meantime. When it reconnects from an
offline state, it will start retrying from the first server in the list
(aka the nearest one).
We are tracking this requirement with the following ticket:
It is currently Deferred is we do not have time to look at it yet
but any help is always appreciated.
It seems that the page that the ticket is pointing actually changed
since we last looked at it.
May be based on the ideas expressed in this page the changes can be
made in IPA storage or LDAP driver without the need to touch BIND.
If something like this is possible it would be much easier to
implement. But still we have a full plate now and will for quite
some time so help would be definitely needed.
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?