Thanks for the advice Stephen (and the quick response), obviously that won't help with load balanced comms during the installation process but it should keep it to a minimum afterwards. Wouldn't a quick solution be the addition of a "--primary" flag to the ipa-client-install script? It could behave in the same way as the --server flag and be a substitute for it but it just forces all enrolment comms to be kept to the named server and reorders the ipa_server entry in sssd.conf from "ipa_server = __srv__, x.x.x.x" to "ipa_server = x.x.x.x, __srv__" Would that be enough? Regards Charlie On Wed, Jan 18, 2012 at 3:33 PM, Dmitri Pal <[email protected]> wrote:
> ** > On 01/17/2012 10:19 PM, Stephen Gallagher wrote: > > On Wed, 2012-01-18 at 03:02 +0000, Charlie Derwent wrote: > > Hi > > I've got 5 different IPA servers at 5 differents labs around the > country that are all replicas of one another. In order to keep the the > cross-site network traffic to a minimum I want the IPA clients at Site > "A" to only communicate to IPA Server "A", "B" to "B", "C" to "C" etc. > except in the case of the failure of one of the servers. > > I originally assumed that making the IPA client to connect to a > specific IPA server with "ipa-client-install --server=IPA_server_fqdn" > would suffice but I very quickly found out this wasn't the case with > the client going to multiple servers just to complete the installation > process. Then I found out about modifying the DNS SRV records priority > and weight however, please correct me if I'm wrong, these wouldn't > these changes replicate and be enacted gloablly. (i.e. all clients at > any site would prioritise IPA "A" over IPA "B"). > > Is there any way to get the functionality I desire? > > > We're looking at ways to implement a concept of client location into the > connection logic. At the moment, however, the only way to do this is > manually on the client. > > You can make the following change in the clients' /etc/sssd/sssd.conf > files: > > In the [domain/your.domain.com] section there is an option "ipa_server". > > By default, this is configured to be: > ipa_server = __srv__, x.x.x.x > > (Where x.x.x.x is the server you were originally talking to when you ran > ipa-client-install, as a backup in case DNS is not working). > > You can manually change this to be: > ipa_server = nearest.server.com, > further.server.com,only-in-emergencies.server.com, ... > > With this manual setup, SSSD (the daemon that manages the client-side > portion) will always attempt to connect to nearest.server.com unless it > is unavailable, after which time it will fail over to the next in the > list, and so on.* > > > * If all of them are unavailable, SSSD switches to offline operation, > where it will try to reconnect every couple of minutes, but will serve > requests from its cache in the meantime. When it reconnects from an > offline state, it will start retrying from the first server in the list > (aka the nearest one). > > > > _______________________________________________ > Freeipa-users mailing > [email protected]https://www.redhat.com/mailman/listinfo/freeipa-users > > > > We are tracking this requirement with the following ticket: > https://fedorahosted.org/freeipa/ticket/122 > It is currently Deferred is we do not have time to look at it yet but any > help is always appreciated. > It seems that the page that the ticket is pointing actually changed since > we last looked at it. > May be based on the ideas expressed in this page the changes can be made > in IPA storage or LDAP driver without the need to touch BIND. If something > like this is possible it would be much easier to implement. But still we > have a full plate now and will for quite some time so help would be > definitely needed. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
