date:20170121

Re: [Freeipa-users] sssd doesn't cache, as it seems

2017-01-21 Thread Harald Dunkel

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi Jakub,

On 01/21/17 13:49, Jakub Hrozek wrote:
> 
> Can you check what kind of query do you see in the LDAP server log?
> 

The git server does just a few queries per hour:

[21/Jan/2017:16:27:53.098932003 +0100] conn=8 op=39431 SRCH 
base="dc=example,dc=de" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/tisde8i005.ac.example...@example.de)(krbPrincipalName:caseIgnoreIA5Match:=host/tisde8i005.ac.example...@example.de)))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration 
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory 
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth 
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge 
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType 
ipatokenRadiusConfigLink objectClass"
[21/Jan/2017:16:27:53.100196009 +0100] conn=8 op=39435 SRCH 
base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" 
scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber 
krbPrincipalName krbCanonicalName krbTicketPolicyReference 
krbPrincipalExpiration
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript 
ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"
[21/Jan/2017:16:27:53.100426687 +0100] conn=8 op=39436 SRCH 
base="cn=tisde8i005.ac.example.de,cn=masters,cn=ipa,cn=etc,dc=example,dc=de" 
scope=0 filter="(objectClass=*)" attrs=ALL
[21/Jan/2017:16:27:53.100658375 +0100] conn=8 op=39437 MOD 
dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de"
[21/Jan/2017:16:27:53.125278099 +0100] conn=9119 op=3 RESULT err=0 tag=97 
nentries=0 etime=0 
dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de"
[21/Jan/2017:16:28:37.001050661 +0100] conn=9119 op=891 SRCH 
base="cn=accounts,dc=example,dc=de" scope=2 
filter="(&(objectClass=ipaHost)(fqdn=tisde8i005.ac.example.de))" 
attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID"
[21/Jan/2017:16:28:37.003968246 +0100] conn=9119 op=892 SRCH 
base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" 
scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID"
[21/Jan/2017:16:28:37.006876504 +0100] conn=9119 op=894 SRCH 
base="cn=sudo,dc=example,dc=de" scope=2 
filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de))(entryusn>=1))"
attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs 
ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser 
sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory 
ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser
ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup externalUser entryusn"
[21/Jan/2017:16:42:47.447444525 +0100] conn=7 op=22424 SRCH 
base="dc=example,dc=de" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=host/tisde8i005.ac.example...@example.de))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration 
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink 
objectClass"
[21/Jan/2017:16:42:47.459190497 +0100] conn=9208 op=3 RESULT err=0 tag=97 
nentries=0 etime=0 
dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de"
[21/Jan/2017:16:43:37.000841869 +0100] conn=9208 op=961 SRCH 
base="cn=accounts,dc=example,dc=de" scope=2 
filter="(&(objectClass=ipaHost)(fqdn=tisde8i005.ac.example.de))" 
attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID"
[21/Jan/2017:16:43:37.002362473 +0100] conn=9208 op=962 SRCH 
base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" 
scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID"
[21/Jan/2017:16:43:37.005732600 +0100] conn=9208 op=964 SRCH 
base="cn=sudo,dc=example,dc=de" scope=2 
filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de))(entryusn>=1))"
attrs="objectClass cn

Re: [Freeipa-users] Freeipa replica info to clents: guidance

2017-01-21 Thread Rakesh Rajasekharan

thanks Matrix.. I will add this option to my config params

Regards,
Rakesh

On Sat, Jan 21, 2017 at 7:17 PM, Matrix  wrote:

> Hi, Rakesh
>
> Try 'ipa-client-install' with this option '--fixed-primary'. with it,
> '_srv_' will disappeared
>
> From man page:
>--fixed-primary
>   Configure  SSSD  to use a fixed server as the primary IPA
> server. The default is to
>   use DNS SRV records to determine the primary server to use
> and  fall  back  to  the
>   server  the client is enrolled with. When used in
> conjunction with --server then no
>   _srv_ value is set in the ipa_server option in sssd.conf.
>
> Matrix
> -- Original --
> *From: * "Rakesh Rajasekharan";;
> *Date: * Sat, Jan 21, 2017 10:09 PM
> *To: * "Matrix";
> *Cc: * "freeipa-users";
> *Subject: * Re: [Freeipa-users] Freeipa replica info to clents: guidance
>
> Thanks Matrix.. for the inputs..
>
> > Firstly, '_srv_' means clients will find out which servers will be
> connected with by dns srv records. In your explanation, DNS did not
> configure in your env.
>
> After running the ipa-client, the _srv_ was automatically added . The
> configs options I passed for configuring the host as a IPA client is
>
> ipa-client-install --domain=mydomain.com --server=ipa-master-int.
> mydomain.com --realm=MYDOMAIN.COM -p admin --password=mypass --mkhomedir
> --hostname=first-client-int.mydomain.com --no-ssh --no-sshd -N -f -U
>
>
> While configuring  IPA server , I did not pass the setup-dns options.(
> that avoids setting up the dns server I assume )
>
>
> ipa-server-install -r 'MYDOMAIN.COM' -n 'mydomain.com' -p mypass -P
> mypass -a mypass --hostname=ipa-master-int.mydomain.com -N -U
>
> So, I did not explicitly specify the _srv_ options. However, this has been
> working fine till now.
>
>
> > Secondly, 'replica' key words ? I can not find it from man pages of
> sssd-ipa. is it really working fine?
> sorry that was a typo from my side .
> Its actually
> ipa_server = _srv_, ipa-master-mydomain.com, ipa-replica-mydomain.com.
>
> > So, I suggested to configure it in this way:
> > ipa_server = 
> > ipa_backup_server = 
>
> > For another half clients,
> > ipa_server = 
> > ipa_backup_server = 
>
> I will try this out.. probably I can safely leave out _srv_
>
> Thanks
> Rakesh
>
> On Sat, Jan 21, 2017 at 6:10 PM, Matrix  wrote:
>
>> For my understanding, there is something wrong with your configuration
>>
>> >> ipa_server = _srv_, ipa-master-mydomain.com, repilca
>> ipa-replica-mydomain.com
>>
>> Firstly, '_srv_' means clients will find out which servers will be
>> connected with by dns srv records. In your explanation, DNS did not
>> configure in your env.
>>
>> Secondly, 'replica' key words ? I can not find it from man pages of
>> sssd-ipa. is it really working fine?
>>
>> >>Also, can I define priority based on the order in which the IPA servers
>> are defined in
>> >>ipa_server = _srv_ ,,
>>
>> your understanding is correct. server priority is based on sequence in
>> conf file. There is a problem for this configuration. Once 'ipa1' failed,
>> all id lookup/authentication will be happened with 'ipa2'. Even 'ipa1' was
>> back, all clients will be sticky on 'ipa2'
>>
>> So, I suggested to configure it in this way:
>> ipa_server = 
>> ipa_backup_server = 
>>
>> For another half clients,
>> ipa_server = 
>> ipa_backup_server = 
>>
>> Matrix
>>
>> -- Original --
>> *From: * "Rakesh Rajasekharan";;
>> *Date: * Sat, Jan 21, 2017 08:25 PM
>> *To: * "freeipa-users";
>> *Subject: * [Freeipa-users] Freeipa replica info to clents: guidance
>>
>> Hi,
>>
>> My Freeipa setup is on AWS ec2 instances and has been working fine with
>> just one master for a while now.
>>
>> I am now trying to setup replica servers which, I was able to and the
>> replication between both masters go fine.
>>
>> So, I have a master serer ipa-master-mydomain.com and repilca
>> ipa-replica-mydomain.com
>>
>> I am not using DNS and rely on AWS for DNS resolution instead.
>>
>> My question is , how do I tell clients about the new replica server .
>>
>> I tried an entry in the sssd.conf domain section of the clients
>>
>>
>> id_provider = ipa
>> auth_provider = ipa
>> ipa_server = _srv_, ipa-master-mydomain.com, repilca
>> ipa-replica-mydomain.com
>>
>>
>> This approach works fine and clients reach out to the replica as a
>> failover. However, wanted to verify if this is the correct way.
>>
>> Also, can I define priority based on the order in which the IPA servers
>> are defined in
>> ipa_server = _srv_ ,,
>>
>> If the above assumption is right, I could have half of my clients connect
>> to master always and rest to the replica that way balancing the load.
>>
>>
>> Thanks
>> Rakesh
>>
>>
>>
>>
>>
>
-- 
Manage your

Re: [Freeipa-users] Freeipa replica info to clents: guidance

2017-01-21 Thread Matrix

Hi, Rakesh

Try 'ipa-client-install' with this option '--fixed-primary'. with it, '_srv_' 
will disappeared 

From man page:
   --fixed-primary
  Configure  SSSD  to use a fixed server as the primary IPA server. 
The default is to
  use DNS SRV records to determine the primary server to use and  
fall  back  to  the
  server  the client is enrolled with. When used in conjunction 
with --server then no
  _srv_ value is set in the ipa_server option in sssd.conf.

Matrix
-- Original --
From:  "Rakesh Rajasekharan";;
Date:  Sat, Jan 21, 2017 10:09 PM
To:  "Matrix"; 
Cc:  "freeipa-users"; 
Subject:  Re: [Freeipa-users] Freeipa replica info to clents: guidance

Thanks Matrix.. for the inputs..

> Firstly, '_srv_' means clients will find out which servers will be  connected 
> with by dns srv records. In your explanation, DNS did not  configure in your 
> env.

After running the ipa-client, the _srv_ was automatically added . The configs 
options I passed for configuring the host as a IPA client is

ipa-client-install --domain=mydomain.com --server=ipa-master-int.mydomain.com 
--realm=MYDOMAIN.COM -p admin --password=mypass --mkhomedir 
--hostname=first-client-int.mydomain.com --no-ssh --no-sshd -N -f -U

While configuring  IPA server , I did not pass the setup-dns options.( that 
avoids setting up the dns server I assume )

ipa-server-install -r 'MYDOMAIN.COM' -n 'mydomain.com' -p mypass -P mypass -a 
mypass --hostname=ipa-master-int.mydomain.com -N -U

So, I did not explicitly specify the _srv_ options. However, this has been 
working fine till now.

> Secondly, 'replica' key words ? I can not find it from man pages of sssd-ipa. 
> is it really working fine? 

sorry that was a typo from my side .

Its actually 
ipa_server = _srv_, ipa-master-mydomain.com, ipa-replica-mydomain.com.

> So, I suggested to configure it in this way:
> ipa_server = 
> ipa_backup_server = 

> For another half clients, 
> ipa_server = 

> ipa_backup_server = 

I will try this out.. probably I can safely leave out _srv_

Thanks

Rakesh

On Sat, Jan 21, 2017 at 6:10 PM, Matrix  wrote:
For my understanding, there is something wrong with your configuration

>> ipa_server = _srv_, ipa-master-mydomain.com, repilca ipa-replica-mydomain.com

Firstly, '_srv_' means clients will find out which servers will be connected 
with by dns srv records. In your explanation, DNS did not configure in your env.

Secondly, 'replica' key words ? I can not find it from man pages of sssd-ipa. 
is it really working fine? 

>>Also, can I define priority based on the order in which the IPA servers are 
>>defined in 

>>ipa_server = _srv_ ,,

your understanding is correct. server priority is based on sequence in conf 
file. There is a problem for this configuration. Once 'ipa1' failed, all id 
lookup/authentication will be happened with 'ipa2'. Even 'ipa1' was back, all 
clients will be sticky on 'ipa2'

So, I suggested to configure it in this way:
ipa_server = 
ipa_backup_server = 

For another half clients, 
ipa_server = 

ipa_backup_server = 

Matrix

-- Original --
From:  "Rakesh Rajasekharan";;
Date:  Sat, Jan 21, 2017 08:25 PM
To:  "freeipa-users"; 

Subject:  [Freeipa-users] Freeipa replica info to clents: guidance

Hi,

My Freeipa setup is on AWS ec2 instances and has been working fine with just 
one master for a while now.

I am now trying to setup replica servers which, I was able to and the 
replication between both masters go fine.

So, I have a master serer ipa-master-mydomain.com and repilca 
ipa-replica-mydomain.com

I am not using DNS and rely on AWS for DNS resolution instead.

My question is , how do I tell clients about the new replica server .

I tried an entry in the sssd.conf domain section of the clients

id_provider = ipa
auth_provider = ipa
ipa_server = _srv_, ipa-master-mydomain.com, repilca ipa-replica-mydomain.com

This approach works fine and clients reach out to the replica as a failover. 
However, wanted to verify if this is the correct way.

Also, can I define priority based on the order in which the IPA servers are 
defined in 

ipa_server = _srv_ ,,

If the above assumption is right, I could have half of my clients connect to 
master always and rest to the replica that way balancing the load.

Thanks

Rakesh-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa replica info to clents: guidance

2017-01-21 Thread Rakesh Rajasekharan

Thanks Matrix.. for the inputs..

> Firstly, '_srv_' means clients will find out which servers will be
connected with by dns srv records. In your explanation, DNS did not
configure in your env.

After running the ipa-client, the _srv_ was automatically added . The
configs options I passed for configuring the host as a IPA client is

ipa-client-install --domain=mydomain.com --server=
ipa-master-int.mydomain.com --realm=MYDOMAIN.COM -p admin --password=mypass
--mkhomedir --hostname=first-client-int.mydomain.com --no-ssh --no-sshd -N
-f -U


While configuring  IPA server , I did not pass the setup-dns options.( that
avoids setting up the dns server I assume )


ipa-server-install -r 'MYDOMAIN.COM' -n 'mydomain.com' -p mypass -P mypass
-a mypass --hostname=ipa-master-int.mydomain.com -N -U

So, I did not explicitly specify the _srv_ options. However, this has been
working fine till now.


> Secondly, 'replica' key words ? I can not find it from man pages of
sssd-ipa. is it really working fine?
sorry that was a typo from my side .
Its actually
ipa_server = _srv_, ipa-master-mydomain.com, ipa-replica-mydomain.com.

> So, I suggested to configure it in this way:
> ipa_server = 
> ipa_backup_server = 

> For another half clients,
> ipa_server = 
> ipa_backup_server = 

I will try this out.. probably I can safely leave out _srv_

Thanks
Rakesh

On Sat, Jan 21, 2017 at 6:10 PM, Matrix  wrote:

> For my understanding, there is something wrong with your configuration
>
> >> ipa_server = _srv_, ipa-master-mydomain.com, repilca
> ipa-replica-mydomain.com
>
> Firstly, '_srv_' means clients will find out which servers will be
> connected with by dns srv records. In your explanation, DNS did not
> configure in your env.
>
> Secondly, 'replica' key words ? I can not find it from man pages of
> sssd-ipa. is it really working fine?
>
> >>Also, can I define priority based on the order in which the IPA servers
> are defined in
> >>ipa_server = _srv_ ,,
>
> your understanding is correct. server priority is based on sequence in
> conf file. There is a problem for this configuration. Once 'ipa1' failed,
> all id lookup/authentication will be happened with 'ipa2'. Even 'ipa1' was
> back, all clients will be sticky on 'ipa2'
>
> So, I suggested to configure it in this way:
> ipa_server = 
> ipa_backup_server = 
>
> For another half clients,
> ipa_server = 
> ipa_backup_server = 
>
> Matrix
>
> -- Original --
> *From: * "Rakesh Rajasekharan";;
> *Date: * Sat, Jan 21, 2017 08:25 PM
> *To: * "freeipa-users";
> *Subject: * [Freeipa-users] Freeipa replica info to clents: guidance
>
> Hi,
>
> My Freeipa setup is on AWS ec2 instances and has been working fine with
> just one master for a while now.
>
> I am now trying to setup replica servers which, I was able to and the
> replication between both masters go fine.
>
> So, I have a master serer ipa-master-mydomain.com and repilca
> ipa-replica-mydomain.com
>
> I am not using DNS and rely on AWS for DNS resolution instead.
>
> My question is , how do I tell clients about the new replica server .
>
> I tried an entry in the sssd.conf domain section of the clients
>
>
> id_provider = ipa
> auth_provider = ipa
> ipa_server = _srv_, ipa-master-mydomain.com, repilca
> ipa-replica-mydomain.com
>
>
> This approach works fine and clients reach out to the replica as a
> failover. However, wanted to verify if this is the correct way.
>
> Also, can I define priority based on the order in which the IPA servers
> are defined in
> ipa_server = _srv_ ,,
>
> If the above assumption is right, I could have half of my clients connect
> to master always and rest to the replica that way balancing the load.
>
>
> Thanks
> Rakesh
>
>
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd doesn't cache, as it seems

2017-01-21 Thread Jakub Hrozek


> On 21 Jan 2017, at 06:46, Harald Dunkel  wrote:
> 
> On 01/20/17 18:42, Simo Sorce wrote:
>> 
>> Is your server being used for authentication ?
>> SSSD, by default, always refreshes user credentials on authentication,
>> but you can use the cached_auth_timeout setting to relax this
>> requirement in SSSD, and reduce the roundtrips for auth attempts.
>> 
> 
> I have set both pam_id_timeout and cached_auth_timeout to 30.
> No change, still several requests per second for each user.
> 
> ???
> Harri
> 

Can you check what kind of query do you see in the LDAP server log?

Do the server logs correlate with debug logs from the nss and domain sections 
of sssd?

Are you sure there is no other NSS module in nsswitch.conf other than files and 
sss?

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa replica info to clents: guidance

2017-01-21 Thread Matrix

For my understanding, there is something wrong with your configuration


>> ipa_server = _srv_, ipa-master-mydomain.com, repilca ipa-replica-mydomain.com


Firstly, '_srv_' means clients will find out which servers will be connected 
with by dns srv records. In your explanation, DNS did not configure in your env.


Secondly, 'replica' key words ? I can not find it from man pages of sssd-ipa. 
is it really working fine? 


>>Also, can I define priority based on the order in which the IPA servers are 
>>defined in 

>>ipa_server = _srv_ ,,


your understanding is correct. server priority is based on sequence in conf 
file. There is a problem for this configuration. Once 'ipa1' failed, all id 
lookup/authentication will be happened with 'ipa2'. Even 'ipa1' was back, all 
clients will be sticky on 'ipa2'


So, I suggested to configure it in this way:
ipa_server = 
ipa_backup_server = 


For another half clients, 
ipa_server = 

ipa_backup_server = 


Matrix


-- Original --
From:  "Rakesh Rajasekharan";;
Date:  Sat, Jan 21, 2017 08:25 PM
To:  "freeipa-users"; 

Subject:  [Freeipa-users] Freeipa replica info to clents: guidance



Hi,


My Freeipa setup is on AWS ec2 instances and has been working fine with just 
one master for a while now.


I am now trying to setup replica servers which, I was able to and the 
replication between both masters go fine.


So, I have a master serer ipa-master-mydomain.com and repilca 
ipa-replica-mydomain.com



I am not using DNS and rely on AWS for DNS resolution instead.


My question is , how do I tell clients about the new replica server .


I tried an entry in the sssd.conf domain section of the clients


id_provider = ipa
auth_provider = ipa
ipa_server = _srv_, ipa-master-mydomain.com, repilca ipa-replica-mydomain.com



This approach works fine and clients reach out to the replica as a failover. 
However, wanted to verify if this is the correct way.


Also, can I define priority based on the order in which the IPA servers are 
defined in 

ipa_server = _srv_ ,,


If the above assumption is right, I could have half of my clients connect to 
master always and rest to the replica that way balancing the load.



Thanks

Rakesh-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Freeipa replica info to clents: guidance

2017-01-21 Thread Rakesh Rajasekharan

Hi,

My Freeipa setup is on AWS ec2 instances and has been working fine with
just one master for a while now.

I am now trying to setup replica servers which, I was able to and the
replication between both masters go fine.

So, I have a master serer ipa-master-mydomain.com and repilca
ipa-replica-mydomain.com

I am not using DNS and rely on AWS for DNS resolution instead.

My question is , how do I tell clients about the new replica server .

I tried an entry in the sssd.conf domain section of the clients


id_provider = ipa
auth_provider = ipa
ipa_server = _srv_, ipa-master-mydomain.com, repilca
ipa-replica-mydomain.com


This approach works fine and clients reach out to the replica as a
failover. However, wanted to verify if this is the correct way.

Also, can I define priority based on the order in which the IPA servers are
defined in
ipa_server = _srv_ ,,

If the above assumption is right, I could have half of my clients connect
to master always and rest to the replica that way balancing the load.


Thanks
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd doesn't cache, as it seems

Re: [Freeipa-users] Freeipa replica info to clents: guidance

Re: [Freeipa-users] Freeipa replica info to clents: guidance

Re: [Freeipa-users] Freeipa replica info to clents: guidance

Re: [Freeipa-users] sssd doesn't cache, as it seems

Re: [Freeipa-users] Freeipa replica info to clents: guidance

[Freeipa-users] Freeipa replica info to clents: guidance

7 matches

Site Navigation

Mail list logo

Footer information