13.2.18. Domain Options: Using DNS Service Discovery

DNS service discovery, defined in RFC 2782, allows applications to check the SRV records in a given domain for certain services of a certain type; it then returns any servers discovered of that type.
With SSSD, the identity and authentication providers can either be explicitly defined (by IP address or host name) or they can be discovered dynamically, using service discovery. If no provider server is listed — for example, if id_provider = ldap is set without a corresponding ldap_uri parameter — then discovery is automatically used.
The DNS discovery query has this format:
_service._protocol.domain
For example, a scan for an LDAP server using TCP in the example.com domain looks like this:
_ldap._tcp.example.com

Note

For every service with which to use service discovery, add a special DNS record to the DNS server:
_service._protocol._domain TTL priority weight port hostname
For SSSD, the service type is LDAP by default, and almost all services use TCP (except for Kerberos, which starts with UDP). For service discovery to be enabled, the only thing that is required is the domain name. The default is to use the domain portion of the machine host name, but another domain can be specified (using the dns_discovery_domain parameter).
So, by default, no additional configuration needs to be made for service discovery — with one exception. The password change provider has server discovery disabled by default, and it must be explicitly enabled by setting a service type.
[domain/EXAMPLE]
...
chpass_provider = ldap
ldap_chpass_dns_service_name = ldap
While no configuration is necessary, it is possible for server discovery to be customized by using a different DNS domain (dns_discovery_domain) or by setting a different service type to scan for. For example:
[domain/EXAMPLE]
id _provider = ldap

dns_discovery_domain = corp.example.com
ldap_dns_service_name = ldap

chpass_provider = krb5
ldap_chpass_dns_service_name = kerberos
Lastly, service discovery is never used with backup servers; it is only used for the primary server for a provider. What this means is that discovery can be used initially to locate a server, and then SSSD can fall back to using a backup server. To use discovery for the primary server, use _srv_ as the primary server value, and then list the backup servers. For example:
[domain/EXAMPLE]
id _provider = ldap
ldap_uri = _srv_
ldap_backup_uri = ldap://ldap2.example.com

auth_provider = krb5
krb5_server = _srv_
krb5_backup_server = kdc2.example.com

chpass_provider = krb5
ldap_chpass_dns_service_name = kerberos
ldap_chpass_uri = _srv_
ldap_chpass_backup_uri = kdc2.example.com

Note

Service discovery cannot be used with backup servers, only primary servers.
If a DNS lookup fails to return an IPv4 address for a host name, SSSD attempts to look up an IPv6 address before returning a failure. This only ensures that the asynchronous resolver identifies the correct address.
The host name resolution behavior is configured in the lookup family order option in the sssd.conf configuration file.