[Freeipa-users] Freeipa replica info to clents: guidance

Matrix matrix.zj at qq.com
Sat Jan 21 12:40:03 UTC 2017 

For my understanding, there is something wrong with your configuration


>> ipa_server = _srv_, ipa-master-mydomain.com, repilca ipa-replica-mydomain.com


Firstly, '_srv_' means clients will find out which servers will be connected with by dns srv records. In your explanation, DNS did not configure in your env.


Secondly, 'replica' key words ? I can not find it from man pages of sssd-ipa. is it really working fine? 


>>Also, can I define priority based on the order in which the IPA servers are defined in 

>>ipa_server = _srv_ ,<ipa1>,<ipa2>


your understanding is correct. server priority is based on sequence in conf file. There is a problem for this configuration. Once 'ipa1' failed, all id lookup/authentication will be happened with 'ipa2'. Even 'ipa1' was back, all clients will be sticky on 'ipa2'


So, I suggested to configure it in this way:
ipa_server = <ipa1>
ipa_backup_server = <ipa2>


For another half clients, 
ipa_server = <ipa2>

ipa_backup_server = <ipa1>


Matrix


------------------ Original ------------------
From:  "Rakesh Rajasekharan";<rakesh.rajasekharan at gmail.com>;
Date:  Sat, Jan 21, 2017 08:25 PM
To:  "freeipa-users"<freeipa-users at redhat.com>; 

Subject:  [Freeipa-users] Freeipa replica info to clents: guidance



Hi,


My Freeipa setup is on AWS ec2 instances and has been working fine with just one master for a while now.


I am now trying to setup replica servers which, I was able to and the replication between both masters go fine.


So, I have a master serer ipa-master-mydomain.com and repilca ipa-replica-mydomain.com



I am not using DNS and rely on AWS for DNS resolution instead.


My question is , how do I tell clients about the new replica server .


I tried an entry in the sssd.conf domain section of the clients


id_provider = ipa
auth_provider = ipa
ipa_server = _srv_, ipa-master-mydomain.com, repilca ipa-replica-mydomain.com



This approach works fine and clients reach out to the replica as a failover. However, wanted to verify if this is the correct way.


Also, can I define priority based on the order in which the IPA servers are defined in 

ipa_server = _srv_ ,<ipa1>,<ipa2>


If the above assumption is right, I could have half of my clients connect to master always and rest to the replica that way balancing the load.



Thanks

Rakesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170121/e965543e/attachment.htm>

More information about the Freeipa-users mailing list