On Wed, Feb 27, 2013 at 08:19:27AM +0100, Jan-Frode Myklebust wrote:
> What does it mean to have several domains listed in sssd.conf ? Will
> they all be queried on each login, or will only the first domain be
> queried if the user/groups is found there?

If the user is found in the first domain, the result is returned. If it
is not found, the second domain is queried etc.

To query a user from the second domain directly, you'd have to use a
fully qualified name - getent passwd user@domain2

> Does having an IPA domain, and an LDAP domain pointing at the same
> servers give any protection against failures in the sssd_BE process
> allowing sssd to fail over to the next sssd_BE ?

In theory yes, but you'd lose the IPA specific functions such as HBAC or
SELinux user mappings. Also for example the paths to Kerberos ccaches are
stored in the sssd cache too, so your users would get a different ccache
on this "failover".

Are there any issues you are seeing with IPA's sssd_be? It would
definitely be better to fix those first rather than attempting a
workaround like this.

Freeipa-users mailing list

Reply via email to