[Freeipa-users] SSSD in redundant configuration

Rob Crittenden rcritten at redhat.com
Wed Mar 18 17:11:44 UTC 2015 

Craig White wrote:
> *From:*freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Andrew Holway
> *Sent:* Wednesday, March 18, 2015 9:40 AM
> *To:* freeipa-users at redhat.com
> *Subject:* [Freeipa-users] SSSD in redundant configuration
> 
>  
> 
> Hello,
> 
>  
> 
> Im wondering how we should be handing SSSD for redundant configurations
> on our freeipa clients. We have three freeipa servers; how can we make
> SSSD check another freeipa in the event that one goes down?
> 
>  
> 
> It appears we can do something like the following:
> 
>  
> 
> ipa_hostname = test-freeipa-client-1.cloud.domain.de
> <http://test-freeipa-client-1.cloud.domain.de>,
> test-freeipa-client-2.cloud.domain.de
> <http://test-freeipa-client-2.cloud.domain.de>,
> test-freeipa-client-3.cloud.domain.de
> <http://test-freeipa-client-3.cloud.domain.de>
> 
>  
> 
> However I thought SRV records were meant to supply the magic here?
> 
>  
> 
> Thanks,
> 
>  
> 
> Andrew  
> 
>  
> 
>  
> 
> /etc/sssd/sssd.conf
> 
> [domain/cloud.domain.de <http://cloud.domain.de>]
> 
> cache_credentials = True
> 
> krb5_store_password_if_offline = True
> 
> ipa_domain = cloud.domain.de <http://cloud.domain.de>
> 
> id_provider = ipa
> 
> auth_provider = ipa
> 
> access_provider = ipa
> 
> ipa_hostname = test-freeipa-client-2.cloud.domain.de
> <http://test-freeipa-client-2.cloud.domain.de>
> 
> chpass_provider = ipa
> 
> ipa_dyndns_update = True
> 
> ipa_server = _srv_, test-freeipa-2.cloud.domain.de
> <http://test-freeipa-2.cloud.domain.de>
> 
> ldap_tls_cacert = /etc/ipa/ca.crt
> 
> # For the SUDO integration
> 
> sudo_provider = ldap
> 
> ldap_uri = ldap://test-freeipa-1.cloud.domain.de
> <http://test-freeipa-1.cloud.domain.de>
> 
> ldap_sudo_search_base = ou=sudoers,dc=cloud,dc=domain,dc=de
> 
> ldap_sasl_mech = GSSAPI
> 
> ldap_sasl_authid = host/test-freeipa-client-2.cloud.domain.de
> <http://test-freeipa-client-2.cloud.domain.de>
> 
> ldap_sasl_realm = CLOUD.DOMAIN.DE <http://CLOUD.DOMAIN.DE>
> 
> krb5_server = test-freeipa-2.cloud.domain.de
> <http://test-freeipa-2.cloud.domain.de>
> 
> [sssd]
> 
> services = nss, pam, ssh, sudo
> 
> config_file_version = 2
> 
> domains = cloud.domain.de <http://cloud.domain.de>
> 
> [nss]
> 
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> I think the magic you are looking for is in /etc/sssd/sssd.conf where
> you have

> 
> ipa_server = _srv_, test-freeipa-2.cloud.domain.de
> <http://test-freeipa-2.cloud.domain.de>
> 
> and all you need is

> 
> ipa_server = _srv_

_srv_ tells SSSD to check DNS for SRV records. The trailing server gives
it a hardcoded fallback in case DNS fails for some reason. Their current
configuration is correct.

rob

More information about the Freeipa-users mailing list