<div dir="ltr">Hello,<div><br></div><div>Im wondering how we should be handing SSSD for redundant configurations on our freeipa clients. We have three freeipa servers; how can we make SSSD check another freeipa in the event that one goes down?</div><div><br></div><div>It appears we can do something like the following:</div><div><br></div><div>ipa_hostname = <a href="http://test-freeipa-client-1.cloud.domain.de">test-freeipa-client-1.cloud.domain.de</a>, <a href="http://test-freeipa-client-2.cloud.domain.de">test-freeipa-client-2.cloud.domain.de</a>, <a href="http://test-freeipa-client-3.cloud.domain.de">test-freeipa-client-3.cloud.domain.de</a><br></div><div><br></div><div>However I thought SRV records were meant to supply the magic here?</div><div><br></div><div>Thanks,</div><div><br></div><div>Andrew  <br><div><br></div><div><br></div><div>/etc/sssd/sssd.conf</div><div>







<p class=""><span class="">[domain/<a href="http://cloud.domain.de">cloud.domain.de</a>]</span></p>
<p class=""><span class="">cache_credentials = True</span></p>
<p class=""><span class="">krb5_store_password_if_offline = True</span></p>
<p class=""><span class="">ipa_domain = <a href="http://cloud.domain.de">cloud.domain.de</a></span></p>
<p class=""><span class="">id_provider = ipa</span></p>
<p class=""><span class="">auth_provider = ipa</span></p>
<p class=""><span class="">access_provider = ipa</span></p>
<p class=""><span class="">ipa_hostname = <a href="http://test-freeipa-client-2.cloud.domain.de">test-freeipa-client-2.cloud.domain.de</a></span></p>
<p class=""><span class="">chpass_provider = ipa</span></p>
<p class=""><span class="">ipa_dyndns_update = True</span></p>
<p class=""><span class="">ipa_server = _srv_, <a href="http://test-freeipa-2.cloud.domain.de">test-freeipa-2.cloud.domain.de</a></span></p>
<p class=""><span class="">ldap_tls_cacert = /etc/ipa/ca.crt</span></p>
<p class=""># For the SUDO integration<br><span class=""></span></p>
<p class=""><span class="">sudo_provider = ldap</span></p>
<p class=""><span class="">ldap_uri = ldap://<a href="http://test-freeipa-1.cloud.domain.de">test-freeipa-1.cloud.domain.de</a></span></p>
<p class=""><span class="">ldap_sudo_search_base = ou=sudoers,dc=cloud,dc=domain,dc=de</span></p>
<p class=""><span class="">ldap_sasl_mech = GSSAPI</span></p>
<p class=""><span class="">ldap_sasl_authid = host/<a href="http://test-freeipa-client-2.cloud.domain.de">test-freeipa-client-2.cloud.domain.de</a></span></p>
<p class=""><span class="">ldap_sasl_realm = <a href="http://CLOUD.DOMAIN.DE">CLOUD.DOMAIN.DE</a></span></p>
<p class=""><span class="">krb5_server = <a href="http://test-freeipa-2.cloud.domain.de">test-freeipa-2.cloud.domain.de</a></span></p><p class=""><span class=""></span></p>
<p class=""><span class="">[sssd]</span></p>
<p class=""><span class="">services = nss, pam, ssh, sudo</span></p>
<p class=""><span class="">config_file_version = 2</span></p>
<p class=""><span class="">domains = <a href="http://cloud.domain.de">cloud.domain.de</a></span></p>
<p class=""><span class="">[nss]</span></p>
<p class=""><span class="">[pam]</span></p>
<p class=""><span class="">[sudo]</span></p>
<p class=""><span class="">[autofs]</span></p>
<p class=""><span class="">[ssh]</span></p>
<p class=""><span class="">[pac]</span></p></div></div></div>