30.6. Configuring Domain Failover
SSSD attempts to connect to machines and to services separately.
When SSSD tries to connect to one of its domain backends, it first tries to resolve the hostname of a given machine. If this resolution attempt fails, the machine is considered offline, and SSSD no longer attempts to connect to this machine for any other service.
If the resolution attempt succeeds, the backend tries to connect to a service on this machine. If the service connection attempt fails, then only this particular service is considered offline and the backend automatically switches over to the next service. The machine is still considered online and might still be tried for another service.
SSSD only tries the first IP address given in the DNS A record. To find multiple servers with a single request, SSSD relies on SRV records.
Connections are retried to offline machines or services every 30 seconds, until SSSD can successfully connect to the backend.
30.6.1. Configuring Failover
Configuring failover allows SSSD to switch automatically to a different server if the primary server fails. These servers are entered as a case-insensitive, comma-separated list in the [domain/Name] sections of the
/etc/sssd/sssd.conf
file. The servers are listed in order of preference. This list can contain any number of servers.
For example, for a native LDAP domain:
ldap_uri = ldap://ldap0.example.com, ldap://ldap1.example.com, ldap://ldap2.example.com
The first entry,
ldap://ldap0.example.com
, is the primary server. If this server fails, SSSD first attempts to connect to ldap1.example.com
and then ldap2.example.com
.
If the server parameter is not specified, then SSSD uses service discovery to try to find another server on the network.
Important
The failover servers must be entered as a comma-separated list of values for a single key. If there are multiple keys, SSSD only recognizes the last entry.