[Freeipa-users] ipa_server and ipa_backup_server failover time

Jakub Hrozek jhrozek at redhat.com
Mon Jan 9 08:11:01 UTC 2017 

On Mon, Jan 09, 2017 at 03:29:54PM +0800, Matrix wrote:
> Hi, all
> 
> 
> The purpose of this email is to know more about timeout ipa server failover. 
> 
> 
> Env: 
> # rpm -qa | grep sssd
> sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
> python-sssdconfig-1.13.0-40.el7_2.12.noarch
> sssd-ipa-1.13.0-40.el7_2.12.x86_64
> sssd-client-1.13.0-40.el7_2.12.x86_64
> sssd-ad-1.13.0-40.el7_2.12.x86_64
> sssd-proxy-1.13.0-40.el7_2.12.x86_64
> sssd-common-pac-1.13.0-40.el7_2.12.x86_64
> sssd-ldap-1.13.0-40.el7_2.12.x86_64
> sssd-krb5-1.13.0-40.el7_2.12.x86_64
> sssd-common-1.13.0-40.el7_2.12.x86_64
> sssd-1.13.0-40.el7_2.12.x86_64
> 
> 
> 
> base config:
> # cat /etc/sssd/sssd.conf
> [domain/example.com]
> 
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = example.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = spare01.example.com
> chpass_provider = ipa
> 
> debug_level = 4
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, sudo, pam, ssh
> config_file_version = 2
> 
> 
> domains = example.com
> 
> 
> 
> Situation A: both Server A and Server B have been configured in 'ipa_server'
> ipa_server = ipa01.example.com, ipa02.example.com
> 
> 
> Once ipa01 ipa service failed, id lookup/auth will be failed over to ipa02 around 15mins later. It should be controlled by 'ldap_connection_expire_timeout', with default value 900 seconds. I have proved it with changing it to 300 seconds. 

If ipa01 fails, then sssd should fail over immediatelly to the next
server. I wonder how you tested the fail over?

> 
> 
> But if ipa01 was brought back, id lookup/auth will not be back to ipa01. Is it expected ? 

Yes, we stick to a server that works until it doesn't generally.

> 
> 
> Situation B: Server A has been configured as 'ipa_server', and Server B configured as 'ipa_backup_server'
> ipa_server = ipa01.example.com
> ipa_backup_server = ipa02.example.com
> 
> 
> 
> Once ipa01 ipa service failed, id lookup/auth will be failed over ipa02 some minutes later. I have tried 2 times, failover time is around 10min ~ 15min.
> 
> 
> Is it possible to control it more accurate? how to? any parameters I can try? 

No, sorry, the timeouts for switching between back up and primary
servers are hardcoded.

More information about the Freeipa-users mailing list