13.2.23. Creating Domains: Primary Server and Backup Servers

Identity and authentication providers for a domain can be configured for automatic failover. SSSD attempts to connect to the specified, primary server first. If that server cannot be reached, then SSSD then goes through the listed backup servers, in order.


SSSD tries to connect to the primary server every 30 seconds, until the connection can be re-established, and then switches from the backup to the primary.
All of the major service areas have optional settings for primary and backup servers[3].

Table 13.11. Primary and Secondary Server Parameters

Service Area Primary Server Attribute Backup Server Attribute
LDAP identity provider ldap_uri ldap_backup_uri
Active Directory identity provider ad_server ad_backup_server
Identity Management (IdM or IPA) identity provider ipa_server ipa_backup_server
Kerberos authentication provider krb5_server krb5_backup_server
Kerberos authentication provider krb5_server krb5_backup_server
Password change provider ldap_chpass_uri ldap_chpass_backup_uri
One and only one server can be set as the primary server. (And, optionally, the primary server can be set to service discovery, using _srv_ rather than a host name.) Multiple backup servers can be set, in a comma-separated list. The backup server list is in order of preference, so the first server listed is tried first.
id_provider = ad
ad_server = ad.example.com
ad_backup_server = ad1.example.com, ad-backup.example.com

[3] Most services default to the identity provider server if a specific server for that service is not set.