Chapter 38. Failover, load balancing and high availability in Identity Management

Identity Management (IdM) comes with its own failover, load-balancing and high-availability features, for example LDAP identity domain and certificate replication, and service discovery and failover support provided by the System Security Services Daemon (SSSD).
IdM is thus equipped with:

Client-side failover capability

SSSD obtains service (SRV) resource records from DNS servers that the client discovers automatically. Based on the SRV records, SSSD maintains a list of available IdM servers, including the information about the connectivity of these servers. If one IdM server goes offline or is overloaded, SSSD already knows which other server to communicate with.
If DNS autodiscovery is not available, IdM clients should be configured at least with a fixed list of IdM servers to retrieve SRV records from in case of a failure.
During the installation of an IdM client, the installer searches for _ldap._tcp.DOMAIN DNS SRV records for all domains that are parent to the client's hostname. In this way, the installer retrieves the hostname of the IdM server that is most conveniently located for communicating with the client, and uses its domain to configure the client components.

Server-side service availability

IdM allows replicating servers in geographically dispersed data centers to shorten the path between IdM clients and the nearest accessible server. Replicating servers allows spreading the load and scaling for more clients.
The IdM replication mechanism provides active/active service availability. Services at all IdM replicas are readily available at the same time.


Trying to combine IdM with other load balancing, HA software is not recommended. Many third-party high availability (HA) solutions assume active/passive scenarios and cause unneeded service interruption to IdM availability. Other solutions use virtual IPs or a single hostname per clustered service. All these methods do not typically work well with the type of service availability provided by the IdM solution. They also integrate very poorly with Kerberos, decreasing the overall security and stability of the deployment.
It is also discouraged to deploy other, unrelated services on IdM masters, especially if these services are supposed to be highly available and use solutions that modify networking configuration to provide HA features.
For more details about using load balancers when Kerberos is used for authentication, see this blog post.