Thanks for the advice Stephen (and the quick response), obviously that
won't help with load balanced comms during the installation process but it
should keep it to a minimum afterwards.
Wouldn't a quick solution be the addition of a "--primary" flag to the
ipa-client-install script? It could behave in the same way as the --server
flag and be a substitute for it but it just forces all enrolment comms to
be kept to the named server and reorders the ipa_server entry in sssd.conf
from "ipa_server = __srv__, x.x.x.x" to "ipa_server = x.x.x.x, __srv__"
Would that be enough?
On Wed, Jan 18, 2012 at 3:33 PM, Dmitri Pal <d...@redhat.com> wrote:
> On 01/17/2012 10:19 PM, Stephen Gallagher wrote:
> On Wed, 2012-01-18 at 03:02 +0000, Charlie Derwent wrote:
> I've got 5 different IPA servers at 5 differents labs around the
> country that are all replicas of one another. In order to keep the the
> cross-site network traffic to a minimum I want the IPA clients at Site
> "A" to only communicate to IPA Server "A", "B" to "B", "C" to "C" etc.
> except in the case of the failure of one of the servers.
> I originally assumed that making the IPA client to connect to a
> specific IPA server with "ipa-client-install --server=IPA_server_fqdn"
> would suffice but I very quickly found out this wasn't the case with
> the client going to multiple servers just to complete the installation
> process. Then I found out about modifying the DNS SRV records priority
> and weight however, please correct me if I'm wrong, these wouldn't
> these changes replicate and be enacted gloablly. (i.e. all clients at
> any site would prioritise IPA "A" over IPA "B").
> Is there any way to get the functionality I desire?
> We're looking at ways to implement a concept of client location into the
> connection logic. At the moment, however, the only way to do this is
> manually on the client.
> You can make the following change in the clients' /etc/sssd/sssd.conf
> In the [domain/your.domain.com] section there is an option "ipa_server".
> By default, this is configured to be:
> ipa_server = __srv__, x.x.x.x
> (Where x.x.x.x is the server you were originally talking to when you ran
> ipa-client-install, as a backup in case DNS is not working).
> You can manually change this to be:
> ipa_server = nearest.server.com,
> further.server.com,only-in-emergencies.server.com, ...
> With this manual setup, SSSD (the daemon that manages the client-side
> portion) will always attempt to connect to nearest.server.com unless it
> is unavailable, after which time it will fail over to the next in the
> list, and so on.*
> * If all of them are unavailable, SSSD switches to offline operation,
> where it will try to reconnect every couple of minutes, but will serve
> requests from its cache in the meantime. When it reconnects from an
> offline state, it will start retrying from the first server in the list
> (aka the nearest one).
> Freeipa-users mailing
> We are tracking this requirement with the following ticket:
> It is currently Deferred is we do not have time to look at it yet but any
> help is always appreciated.
> It seems that the page that the ticket is pointing actually changed since
> we last looked at it.
> May be based on the ideas expressed in this page the changes can be made
> in IPA storage or LDAP driver without the need to touch BIND. If something
> like this is possible it would be much easier to implement. But still we
> have a full plate now and will for quite some time so help would be
> definitely needed.
> Thank you,
> Dmitri Pal
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
> Freeipa-users mailing list
Freeipa-users mailing list