On Mon, Jan 09, 2017 at 03:29:54PM +0800, Matrix wrote:
> Hi, all
> The purpose of this email is to know more about timeout ipa server failover.
> # rpm -qa | grep sssd
> base config:
> # cat /etc/sssd/sssd.conf
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = example.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = spare01.example.com
> chpass_provider = ipa
> debug_level = 4
> ldap_tls_cacert = /etc/ipa/ca.crt
> services = nss, sudo, pam, ssh
> config_file_version = 2
> domains = example.com
> Situation A: both Server A and Server B have been configured in 'ipa_server'
> ipa_server = ipa01.example.com, ipa02.example.com
> Once ipa01 ipa service failed, id lookup/auth will be failed over to ipa02
> around 15mins later. It should be controlled by
> 'ldap_connection_expire_timeout', with default value 900 seconds. I have
> proved it with changing it to 300 seconds.
If ipa01 fails, then sssd should fail over immediatelly to the next
server. I wonder how you tested the fail over?
> But if ipa01 was brought back, id lookup/auth will not be back to ipa01. Is
> it expected ?
Yes, we stick to a server that works until it doesn't generally.
> Situation B: Server A has been configured as 'ipa_server', and Server B
> configured as 'ipa_backup_server'
> ipa_server = ipa01.example.com
> ipa_backup_server = ipa02.example.com
> Once ipa01 ipa service failed, id lookup/auth will be failed over ipa02 some
> minutes later. I have tried 2 times, failover time is around 10min ~ 15min.
> Is it possible to control it more accurate? how to? any parameters I can try?
No, sorry, the timeouts for switching between back up and primary
servers are hardcoded.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project