Re: [Freeipa-users] Freeipa replica info to clents: guidance

[Matrix]

For my understanding, there is something wrong with your configuration


>> ipa_server = _srv_, ipa-master-mydomain.com, repilca ipa-replica-mydomain.com


Firstly, '_srv_' means clients will find out which servers will be connected 
with by dns srv records. In your explanation, DNS did not configure in your env.


Secondly, 'replica' key words ? I can not find it from man pages of sssd-ipa. 
is it really working fine? 


>>Also, can I define priority based on the order in which the IPA servers are 
>>defined in 

>>ipa_server = _srv_ ,<ipa1>,<ipa2>


your understanding is correct. server priority is based on sequence in conf 
file. There is a problem for this configuration. Once 'ipa1' failed, all id 
lookup/authentication will be happened with 'ipa2'. Even 'ipa1' was back, all 
clients will be sticky on 'ipa2'


So, I suggested to configure it in this way:
ipa_server = <ipa1>
ipa_backup_server = <ipa2>


For another half clients, 
ipa_server = <ipa2>

ipa_backup_server = <ipa1>


Matrix


------------------ Original ------------------
From:  "Rakesh Rajasekharan";<rakesh.rajasekha...@gmail.com>;
Date:  Sat, Jan 21, 2017 08:25 PM
To:  "freeipa-users"<freeipa-users@redhat.com>; 

Subject:  [Freeipa-users] Freeipa replica info to clents: guidance



Hi,


My Freeipa setup is on AWS ec2 instances and has been working fine with just 
one master for a while now.


I am now trying to setup replica servers which, I was able to and the 
replication between both masters go fine.


So, I have a master serer ipa-master-mydomain.com and repilca 
ipa-replica-mydomain.com



I am not using DNS and rely on AWS for DNS resolution instead.


My question is , how do I tell clients about the new replica server .


I tried an entry in the sssd.conf domain section of the clients


id_provider = ipa
auth_provider = ipa
ipa_server = _srv_, ipa-master-mydomain.com, repilca ipa-replica-mydomain.com



This approach works fine and clients reach out to the replica as a failover. 
However, wanted to verify if this is the correct way.


Also, can I define priority based on the order in which the IPA servers are 
defined in 

ipa_server = _srv_ ,<ipa1>,<ipa2>


If the above assumption is right, I could have half of my clients connect to 
master always and rest to the replica that way balancing the load.



Thanks

Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project