From bdf84760ab3b41acd89e4b493fbae12c3eb76f36 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Mon, 21 Jun 2021 13:24:14 +0200
Subject: [PATCH] [sssd] Support multiple LDAP uris for resilience

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/sssd.yml                    | 12 +++++++-----
 roles/sssd/templates/sssd/sssd.conf.j2 |  4 ++--
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/group_vars/sssd.yml b/group_vars/sssd.yml
index 4f4d0afc..3f826526 100644
--- a/group_vars/sssd.yml
+++ b/group_vars/sssd.yml
@@ -3,16 +3,18 @@ glob_sssd:
     domain: tealc.adm.crans.org
     enumerate: "true"
     servers:
-      - "{{ query('ldap','ip','tealc','adm') | ipv4 | first }}"
-      - "{{ query('ldap','ip','sam','adm') | ipv4 | first }}"
-      - "{{ query('ldap','ip','daniel','adm') | ipv4 | first }}"
-      - "{{ query('ldap','ip','jack','adm') | ipv4 | first }}"
+      - "ldaps://{{ query('ldap','ip','tealc','adm') | ipv4 | first }}"
+      - "ldaps://{{ query('ldap','ip','sam','adm') | ipv4 | first }}"
+      - "ldaps://{{ query('ldap','ip','daniel','adm') | ipv4 | first }}"
+      - "ldaps://{{ query('ldap','ip','jack','adm') | ipv4 | first }}"
     base: "dc=crans,dc=org"
   secondary:
     domain: re2o-ldap.adm.crans.org
     enumerate: "false"
+    servers:
+      - "ldaps://{{ query('ldap','ip','re2o-ldap','adm') | ipv4 | first }}"
+      - "ldaps://{{ query('ldap','ip','terenez','adm') | ipv4 | first }}"
     base: "dc=crans,dc=org"
     bind:
       dn: "cn=nslcd,ou=service-users,dc=crans,dc=org"
       passwd: "{{ vault.ldap_nslcd_passwd }}"
-        
diff --git a/roles/sssd/templates/sssd/sssd.conf.j2 b/roles/sssd/templates/sssd/sssd.conf.j2
index 51f6cc2e..8c157cc7 100644
--- a/roles/sssd/templates/sssd/sssd.conf.j2
+++ b/roles/sssd/templates/sssd/sssd.conf.j2
@@ -9,7 +9,7 @@ ldap_access_filter = (objectClass=posixAccount)
 enumerate = {{ sssd.primary.enumerate }}
 id_provider = ldap
 auth_provider = ldap
-ldap_uri = ldaps://{{ sssd.primary.domain }}
+ldap_uri = {{ sssd.primary.servers | join(', ') }}
 ldap_search_base = {{ sssd.primary.base }}
 {% if sssd.primary.bind is defined -%}
 ldap_default_bind_dn = {{ sssd.primary.bind.dn }}
@@ -22,7 +22,7 @@ ldap_access_filter = (objectClass=posixAccount)
 enumerate = {{ sssd.secondary.enumerate }}
 id_provider = ldap
 auth_provider = ldap
-ldap_uri = ldaps://{{ sssd.secondary.domain }}
+ldap_uri = {{ sssd.secondary.servers | join(', ') }}
 ldap_search_base = {{ sssd.secondary.base }}
 {% if sssd.secondary.bind is defined -%}
 ldap_default_bind_dn = {{ sssd.secondary.bind.dn }}
-- 
GitLab