On Thu, 2011-05-12 at 22:25 +0200, Sigbjorn Lie wrote:
> You could also extend the High Availability configuration I mentioned
> earlier with 1 high-available IP per IPA host, and serve them in a
> round robin DNS. This would distribute the load of the LDAP server in
> IPA, and provide high availability in case of a IPA server becoming
> unavailable.

Not as easy. With kerberos names have to be matched by keytabs.
So if you use an alias you also have to create a keytab for that alias
and distribute it on all machines (at the very least). Then you have to
hope all server software is able to cope with using the key that matches
the current authentication attempt (I know for a fact many services do
not cope yet, and I have opened bugs for some).

SSSD does automatically reconnect to another of the available IPA
servers btw, so another plus for SSSD :)

That said we have configuration instructions for other platforms, I am
sure the community can hack-up scripts to use them if instructions are
not enough. We can also host them if someone wants to contribute.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to