[Freeipa-users] SSSD in redundant configuration
Rob Crittenden
rcritten at redhat.com
Wed Mar 18 17:11:44 UTC 2015
Craig White wrote:
> *From:*freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Andrew Holway
> *Sent:* Wednesday, March 18, 2015 9:40 AM
> *To:* freeipa-users at redhat.com
> *Subject:* [Freeipa-users] SSSD in redundant configuration
>
>
>
> Hello,
>
>
>
> Im wondering how we should be handing SSSD for redundant configurations
> on our freeipa clients. We have three freeipa servers; how can we make
> SSSD check another freeipa in the event that one goes down?
>
>
>
> It appears we can do something like the following:
>
>
>
> ipa_hostname = test-freeipa-client-1.cloud.domain.de
> <http://test-freeipa-client-1.cloud.domain.de>,
> test-freeipa-client-2.cloud.domain.de
> <http://test-freeipa-client-2.cloud.domain.de>,
> test-freeipa-client-3.cloud.domain.de
> <http://test-freeipa-client-3.cloud.domain.de>
>
>
>
> However I thought SRV records were meant to supply the magic here?
>
>
>
> Thanks,
>
>
>
> Andrew
>
>
>
>
>
> /etc/sssd/sssd.conf
>
> [domain/cloud.domain.de <http://cloud.domain.de>]
>
> cache_credentials = True
>
> krb5_store_password_if_offline = True
>
> ipa_domain = cloud.domain.de <http://cloud.domain.de>
>
> id_provider = ipa
>
> auth_provider = ipa
>
> access_provider = ipa
>
> ipa_hostname = test-freeipa-client-2.cloud.domain.de
> <http://test-freeipa-client-2.cloud.domain.de>
>
> chpass_provider = ipa
>
> ipa_dyndns_update = True
>
> ipa_server = _srv_, test-freeipa-2.cloud.domain.de
> <http://test-freeipa-2.cloud.domain.de>
>
> ldap_tls_cacert = /etc/ipa/ca.crt
>
> # For the SUDO integration
>
> sudo_provider = ldap
>
> ldap_uri = ldap://test-freeipa-1.cloud.domain.de
> <http://test-freeipa-1.cloud.domain.de>
>
> ldap_sudo_search_base = ou=sudoers,dc=cloud,dc=domain,dc=de
>
> ldap_sasl_mech = GSSAPI
>
> ldap_sasl_authid = host/test-freeipa-client-2.cloud.domain.de
> <http://test-freeipa-client-2.cloud.domain.de>
>
> ldap_sasl_realm = CLOUD.DOMAIN.DE <http://CLOUD.DOMAIN.DE>
>
> krb5_server = test-freeipa-2.cloud.domain.de
> <http://test-freeipa-2.cloud.domain.de>
>
> [sssd]
>
> services = nss, pam, ssh, sudo
>
> config_file_version = 2
>
> domains = cloud.domain.de <http://cloud.domain.de>
>
> [nss]
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> I think the magic you are looking for is in /etc/sssd/sssd.conf where
> you have
>
> ipa_server = _srv_, test-freeipa-2.cloud.domain.de
> <http://test-freeipa-2.cloud.domain.de>
>
> and all you need is
>
> ipa_server = _srv_
_srv_ tells SSSD to check DNS for SRV records. The trailing server gives
it a hardcoded fallback in case DNS fails for some reason. Their current
configuration is correct.
rob
More information about the Freeipa-users
mailing list