On 05/02/2016 21:14, Kevin Martin wrote:
I currently have a working openldap/tls/sssd setup with one ldap server. I'm using self signed server side and client side certificates and the CA for the certificates happens to live on the openldap server. This is, obviously, fraught with peril if the openldap server dies! So, I've setup a second server as a replica server and I want to be able to have my sssd clients failover to the replica if the primary goes away. Thus far, my testing has been unsuccessful. I've cut a server cert for the new server but when I try to use the secondary server as the authorized ldap server I get errors like:
A better approach in my opinion is to load balance your LDAP servers and use a single address for your clients to point at. That way as your organisation or load grows you can just throw additional peers at the LDAP end and not worry about how the clients are configured.
keepalived and haproxy will do this very nicely.