Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 2. Failover, load-balancing, and high-availability in IdM

Identity Management (IdM) provides failover mechanisms for IdM clients and load-balancing and high-availability features for IdM servers. Learn how IdM clients and SSSD automatically select available servers, and explore the server-side architecture that provides high availability using multiple replicas.

2.1. Client-side failover capability
Copiar enlace

Client-side failover is the built-in SSSD mechanism on IdM clients that automatically determines and connects to available IdM servers to maintain continuous authentication and access.

The failover mechanism uses DNS SRV records to facilitate the discovery and switching between IdM servers when primary servers become unavailable.

Note

SSSD queries SRV records from the DNS server. By default, SSSD waits for 6 seconds for a reply from the DNS resolver before attempting to query another DNS server. If all DNS servers are unreachable, the domain will continue to operate in offline mode. You can use the dns_resolver_timeout option to increase the time the client waits for a reply from the DNS resolver.

The SSSD failover mechanism treats an IdM server, the machine, and its services independently:

Service failure
If the hostname resolution for a server succeeds, SSSD considers the machine online and tries to connect to the required service on that machine. If the connection to the service fails, SSSD considers only that specific service as offline, not the entire machine or other services on it.
Machine failure
If hostname resolution fails, SSSD considers the entire machine as offline, and does not attempt to connect to any services on that machine.

2.1.1. Primary and backup server switching
Copiar enlace

SSSD attempts to connect to primary servers first. When all primary servers are unavailable, SSSD switches to a configured backup server.

While connected to a backup server, SSSD periodically attempts to reconnect to one of the primary servers and connects immediately once a primary server becomes available. The interval between these attempts is controlled by the failover_primary_timeout option, which defaults to 31 seconds.

If all IdM servers become unreachable, SSSD switches to offline mode. In this state, SSSD retries connections every 30 seconds until a server becomes available.

2.2. IdM server-side load-balancing and high availability
Copiar enlace

You can achieve load-balancing and high-availability in IdM by installing multiple IdM replicas, which provide active/active service availability across the IdM domain. This mechanism secures high service availability and inherent load-balancing across the clients.

  • If you have a geographically dispersed network, you can shorten the path between IdM clients and the nearest accessible server by configuring multiple IdM replicas per data center.
  • Red Hat supports environments with up to 60 replicas.
  • The IdM replication mechanism provides active/active service availability: services at all IdM replicas are readily available at the same time.
Note

Red Hat recommends against combining IdM and other load-balancing or high-availability (HA) software.

Many third-party high availability solutions assume active/passive scenarios and cause unnecessary service interruption to IdM availability. Other solutions use virtual IPs or a single hostname per clustered service. All these methods do not typically work well with the type of service availability provided by the IdM solution. They also integrate very poorly with Kerberos, decreasing the overall security and stability of the deployment.

2.3. Configuring SSSD client failover
Copiar enlace

Configure the SSSD service on an IdM client to manage server failover. You can set server connection preferences in two ways: enable automatic DNS SRV record discovery or manually specify a prioritized list of primary and backup servers. This configuration ensures continuous authentication and access to the IdM domain when primary IdM servers go offline.

Prerequisites

  • You have root privileges on the IdM client machine.
  • You know the Fully Qualified Domain Names (FQDNs) of your IdM servers.
  • If you are using the DNS method, ensure that DNS SRV records for your IdM servers are correctly configured.

Procedure

  1. Open the /etc/sssd/sssd.conf file.

  2. Specify the list of servers using one of the following methods:

    1. Specify _srv_ as the first value in the ipa_server parameter, followed by a prioritized list of primary server FQDNs. Then, list any backup server FQDNs in the ipa_backup_server parameter. For example: 

      [domain/<idm_domain_name>]
id_provider = ipa
ipa_server = _srv_, <primary_idm_server1>, <primary_idm_server2>
ipa_backup_server = <backup_idm_server1>, <backup_idm_server2>
...
      Copy to Clipboard Toggle word wrap

      The _srv_ option is not supported for ipa_backup_server.

    2. To bypass DNS lookups for performance reasons, remove the _srv_ entry from the ipa_server parameter and specify which IdM servers the client should connect to, in order of preference: 

      [domain/<idm_domain_name>]
id_provider = ipa
ipa_server = <primary_idm_server1>, <primary_idm_server2>
ipa_backup_server = <backup_idm_server1>, <backup_idm_server2>
...
      Copy to Clipboard Toggle word wrap

2.4. IdM server configuration and failover parameters
Copiar enlace

The SSSD client failover and server resolution behavior are primarily controlled by the ipa_server parameter in the /etc/sssd/sssd.conf file. You can specify IdM servers by using DNS SRV records for automatic discovery or by manually listing server addresses and tuning timeout parameters for better performance.

Server configuration options

The ipa_server parameter and the srv option define how SSSD on the client resolves and connects to available IdM servers:

  • With the _srv_ option specified, SSSD retrieves a list of IdM servers ordered by preference. If a primary server goes offline, the SSSD service on the IdM client automatically connects to another available IdM server.
  • Primary servers are specified in the ipa_server parameter. SSSD attempts to connect to primary servers first and switches to backup servers only if no primary servers are available.
  • The _srv_ option is not supported for backup servers.
  • Removing the _srv_ entry and listing servers explicitly, such as ipa_server = idm_server1.example.com,idm_server2.example.com, bypasses DNS lookups. This configuration ensures the client connects to the specified IdM servers only, using the listed order of preference.
Expand
Table 2.1. Failover and timeout parameters
ParameterDefault valueDescription

failover_primary_timeout

31 seconds

The interval between attempts SSSD makes to reconnect to one of the primary servers while it is connected to a backup server.

dns_resolver_timeout

6 seconds

The time the client waits for a reply from the DNS resolver before attempting to query another DNS server. If all DNS servers are unreachable, the domain continues to operate in offline mode.

Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2026 Red Hat