[Freeipa-users] Forcing IPA clients to prioritise different IPA Servers

Charlie Derwent shelltoesuperstar at gmail.com
Thu Jan 19 13:18:56 UTC 2012 

Thanks for the advice Stephen (and the quick response), obviously that
won't help with load balanced comms during the installation process but it
should keep it to a minimum afterwards.
Wouldn't a quick solution be the addition of a "--primary" flag to the
ipa-client-install script? It could behave in the same way as the --server
flag and be a substitute for it but it just forces all enrolment comms to
be kept to the named server and reorders the ipa_server entry in sssd.conf
from "ipa_server = __srv__, x.x.x.x" to "ipa_server = x.x.x.x, __srv__"
Would that be enough?
Regards
Charlie
On Wed, Jan 18, 2012 at 3:33 PM, Dmitri Pal <dpal at redhat.com> wrote:

> **
> On 01/17/2012 10:19 PM, Stephen Gallagher wrote:
>
> On Wed, 2012-01-18 at 03:02 +0000, Charlie Derwent wrote:
>
>  Hi
>
> I've got 5 different IPA servers at 5 differents labs around the
> country that are all replicas of one another. In order to keep the the
> cross-site network traffic to a minimum I want the IPA clients at Site
> "A" to only communicate to IPA Server "A", "B" to "B", "C" to "C" etc.
> except in the case of the failure of one of the servers.
>
> I originally assumed that making the IPA client to connect to a
> specific IPA server with "ipa-client-install --server=IPA_server_fqdn"
> would suffice but I very quickly found out this wasn't the case with
> the client going to multiple servers just to complete the installation
> process. Then I found out about modifying the DNS SRV records priority
> and weight however, please correct me if I'm wrong, these wouldn't
> these changes replicate and be enacted gloablly. (i.e. all clients at
> any site would prioritise IPA "A" over IPA "B").
>
> Is there any way to get the functionality I desire?
>
>
>  We're looking at ways to implement a concept of client location into the
> connection logic. At the moment, however, the only way to do this is
> manually on the client.
>
> You can make the following change in the clients' /etc/sssd/sssd.conf
> files:
>
> In the [domain/your.domain.com] section there is an option "ipa_server".
>
> By default, this is configured to be:
> ipa_server = __srv__, x.x.x.x
>
> (Where x.x.x.x is the server you were originally talking to when you ran
> ipa-client-install, as a backup in case DNS is not working).
>
> You can manually change this to be:
> ipa_server = nearest.server.com, further.server.com,only-in-emergencies.server.com, ...
>
> With this manual setup, SSSD (the daemon that manages the client-side
> portion) will always attempt to connect to nearest.server.com unless it
> is unavailable, after which time it will fail over to the next in the
> list, and so on.*
>
>
> * If all of them are unavailable, SSSD switches to offline operation,
> where it will try to reconnect every couple of minutes, but will serve
> requests from its cache in the meantime. When it reconnects from an
> offline state, it will start retrying from the first server in the list
> (aka the nearest one).
>
>
>
> _______________________________________________
> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> We are tracking this requirement with the following ticket:
> https://fedorahosted.org/freeipa/ticket/122
> It is currently Deferred is we do not have time to look at it yet but any
> help is always appreciated.
> It seems that the page that the ticket is pointing actually changed since
> we last looked at it.
> May be based on the ideas expressed in this page the changes can be made
> in IPA storage or LDAP driver without the need to touch BIND. If something
> like this is possible it would be much easier to implement. But still we
> have a full plate now and will for quite some time so help would be
> definitely needed.
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120119/e9e5f9b3/attachment.htm>

More information about the Freeipa-users mailing list