[Freeipa-users] Forcing IPA clients to prioritise different IPA Servers

[Dmitri Pal]

On 01/17/2012 10:19 PM, Stephen Gallagher wrote:
> On Wed, 2012-01-18 at 03:02 +0000, Charlie Derwent wrote:
>> Hi
>>  
>> I've got 5 different IPA servers at 5 differents labs around the
>> country that are all replicas of one another. In order to keep the the
>> cross-site network traffic to a minimum I want the IPA clients at Site
>> "A" to only communicate to IPA Server "A", "B" to "B", "C" to "C" etc.
>> except in the case of the failure of one of the servers.
>>  
>> I originally assumed that making the IPA client to connect to a
>> specific IPA server with "ipa-client-install --server=IPA_server_fqdn"
>> would suffice but I very quickly found out this wasn't the case with
>> the client going to multiple servers just to complete the installation
>> process. Then I found out about modifying the DNS SRV records priority
>> and weight however, please correct me if I'm wrong, these wouldn't
>> these changes replicate and be enacted gloablly. (i.e. all clients at
>> any site would prioritise IPA "A" over IPA "B").
>>  
>> Is there any way to get the functionality I desire?
>>  
> We're looking at ways to implement a concept of client location into the
> connection logic. At the moment, however, the only way to do this is
> manually on the client.
>
> You can make the following change in the clients' /etc/sssd/sssd.conf
> files:
>
> In the [domain/your.domain.com] section there is an option "ipa_server".
>
> By default, this is configured to be:
> ipa_server = __srv__, x.x.x.x
>
> (Where x.x.x.x is the server you were originally talking to when you ran
> ipa-client-install, as a backup in case DNS is not working).
>
> You can manually change this to be:
> ipa_server = nearest.server.com, further.server.com,
> only-in-emergencies.server.com, ...
>
> With this manual setup, SSSD (the daemon that manages the client-side
> portion) will always attempt to connect to nearest.server.com unless it
> is unavailable, after which time it will fail over to the next in the
> list, and so on.*
>
>
> * If all of them are unavailable, SSSD switches to offline operation,
> where it will try to reconnect every couple of minutes, but will serve
> requests from its cache in the meantime. When it reconnects from an
> offline state, it will start retrying from the first server in the list
> (aka the nearest one).
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


We are tracking this requirement with the following ticket:
https://fedorahosted.org/freeipa/ticket/122
It is currently Deferred is we do not have time to look at it yet but
any help is always appreciated.
It seems that the page that the ticket is pointing actually changed
since we last looked at it.
May be based on the ideas expressed in this page the changes can be made
in IPA storage or LDAP driver without the need to touch BIND. If
something like this is possible it would be much easier to implement.
But still we have a full plate now and will for quite some time so help
would be definitely needed.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120118/31a5d3d6/attachment.htm>