13.2.23. Creating Domains: Primary Server and Backup Servers
Identity and authentication providers for a domain can be configured for automatic failover. SSSD attempts to connect to the specified, primary server first. If that server cannot be reached, then SSSD then goes through the listed backup servers, in order.
Note
SSSD tries to connect to the primary server every 30 seconds, until the connection can be re-established, and then switches from the backup to the primary.
All of the major service areas have optional settings for primary and backup servers[3].
| Service Area | Primary Server Attribute | Backup Server Attribute |
|---|---|---|
| LDAP identity provider | ldap_uri | ldap_backup_uri |
| Active Directory identity provider | ad_server | ad_backup_server |
| Identity Management (IdM or IPA) identity provider | ipa_server | ipa_backup_server |
| Kerberos authentication provider | krb5_server | krb5_backup_server |
| Kerberos authentication provider | krb5_server | krb5_backup_server |
| Password change provider | ldap_chpass_uri | ldap_chpass_backup_uri |
One and only one server can be set as the primary server. (And, optionally, the primary server can be set to service discovery, using
_srv_ rather than a host name.) Multiple backup servers can be set, in a comma-separated list. The backup server list is in order of preference, so the first server listed is tried first.
[domain/EXAMPLE] id_provider = ad ad_server = ad.example.com ad_backup_server = ad1.example.com, ad-backup.example.com
[3]
Most services default to the identity provider server if a specific server for that service is not set.
