10 files changed, 21 insertions, 8 deletions

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 1daa3907..48568843 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -166,6 +166,7 @@ option_strings = {
 
     # [provider/ldap]
     'ldap_uri' : _('ldap_uri, The URI of the LDAP server'),
+    'ldap_backup_uri' : _('ldap_backup_uri, The URI of the LDAP server'),
     'ldap_search_base' : _('The default base DN'),
     'ldap_schema' : _('The Schema Type in use on the LDAP server, rfc2307'),
     'ldap_default_bind_dn' : _('The default bind DN'),
@@ -297,6 +298,7 @@ option_strings = {
 
     # [provider/ldap/chpass]
     'ldap_chpass_uri' : _('URI of an LDAP server where password changes are allowed'),
+    'ldap_chpass_backup_uri' : _('URI of a backup LDAP server where password changes are allowed'),
     'ldap_chpass_dns_service_name' : _('DNS service name for LDAP password change server'),
 
     # [provider/ldap/sudo]
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index f7c6d2d1..6c323399 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -3,6 +3,7 @@ ad_domain = str, None, false
 ad_server = str, None, false
 ad_hostname = str, None, false
 ldap_uri = str, None, false
+ldap_backup_uri = str, None, false
 ldap_search_base = str, None, false
 ldap_schema = str, None, false
 ldap_default_bind_dn = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 91485409..fa380a67 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -9,6 +9,7 @@ ipa_host_search_base = str, None, false
 ipa_master_domain_search_base = str, None, false
 ipa_ranges_search_base = str, None, false
 ldap_uri = str, None, false
+ldap_backup_uri = str, None, false
 ldap_search_base = str, None, false
 ldap_schema = str, None, false
 ldap_default_bind_dn = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 2af849ff..cdad5b68 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -1,5 +1,6 @@
 [provider/ldap]
 ldap_uri = str, None, false
+ldap_backup_uri = str, None, false
 ldap_search_base = str, None, false
 ldap_schema = str, None, false
 ldap_default_bind_dn = str, None, false
@@ -124,6 +125,7 @@ ldap_access_order = str, None, false
 
 [provider/ldap/chpass]
 ldap_chpass_uri = str, None, false
+ldap_chpass_backup_uri = str, None, false
 ldap_chpass_dns_service_name = str, None, false
 
 [provider/ldap/sudo]
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 0e14a2a4..93d5783a 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -57,14 +57,14 @@
 
             <variablelist>
                 <varlistentry>
-                    <term>ldap_uri (string)</term>
+                    <term>ldap_uri, ldap_backup_uri (string)</term>
                     <listitem>
                         <para>
                             Specifies the comma-separated list of URIs of the LDAP servers to which
                             SSSD should connect in the order of preference. Refer to the
                             <quote>FAILOVER</quote> section for more information on failover and server redundancy.
-                            If not specified, service discovery is enabled. For more information, refer
-                            to the <quote>SERVICE DISCOVERY</quote> section.
+                            If neither option is specified, service discovery is enabled. For more information,
+                            refer to the <quote>SERVICE DISCOVERY</quote> section.
                         </para>
                         <para>
                             The format of the URI must match the format defined in RFC 2732:
@@ -82,7 +82,7 @@
                 </varlistentry>
 
                 <varlistentry>
-                    <term>ldap_chpass_uri (string)</term>
+                    <term>ldap_chpass_uri, ldap_chpass_backup_uri (string)</term>
                     <listitem>
                         <para>
                             Specifies the comma-separated list of URIs of the LDAP servers to
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index 0d957bcd..41491ddc 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -38,6 +38,7 @@ struct dp_option ad_basic_opts[] = {
 
 struct dp_option ad_def_ldap_opts[] = {
     { "ldap_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ldap_backup_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_default_bind_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_default_authtok_type", DP_OPT_STRING, { "password" }, NULL_STRING},
@@ -96,6 +97,7 @@ struct dp_option ad_def_ldap_opts[] = {
     { "ldap_account_expire_policy", DP_OPT_STRING, { "ad" }, NULL_STRING },
     { "ldap_access_order", DP_OPT_STRING, { "filter" }, NULL_STRING },
     { "ldap_chpass_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ldap_chpass_backup_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_chpass_dns_service_name", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_chpass_update_last_change", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 6eedc001..4925c599 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -51,6 +51,7 @@ struct dp_option ipa_basic_opts[] = {
 
 struct dp_option ipa_def_ldap_opts[] = {
     { "ldap_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ldap_backup_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_default_bind_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_default_authtok_type", DP_OPT_STRING, NULL_STRING, NULL_STRING},
@@ -109,6 +110,7 @@ struct dp_option ipa_def_ldap_opts[] = {
     { "ldap_account_expire_policy", DP_OPT_STRING, { "ipa" }, NULL_STRING },
     { "ldap_access_order", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_chpass_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ldap_chpass_backup_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_chpass_dns_service_name", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_chpass_update_last_change", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
index 90e5f666..52bd233f 100644
--- a/src/providers/ldap/ldap_init.c
+++ b/src/providers/ldap/ldap_init.c
@@ -88,6 +88,7 @@ int sssm_ldap_id_init(struct be_ctx *bectx,
 {
     struct sdap_id_ctx *ctx;
     const char *urls;
+    const char *backup_urls;
     const char *dns_service_name;
     const char *sasl_mech;
     int ret;
@@ -117,12 +118,10 @@ int sssm_ldap_id_init(struct be_ctx *bectx,
     DEBUG(7, ("Service name for discovery set to %s\n", dns_service_name));
 
     urls = dp_opt_get_string(ctx->opts->basic, SDAP_URI);
-    if (!urls) {
-        DEBUG(SSSDBG_CONF_SETTINGS, ("Missing ldap_uri, will use service discovery\n"));
-    }
+    backup_urls = dp_opt_get_string(ctx->opts->basic, SDAP_BACKUP_URI);
 
     ret = sdap_service_init(ctx, ctx->be, "LDAP",
-                            dns_service_name, urls, NULL,
+                            dns_service_name, urls, backup_urls,
                             &ctx->service);
     if (ret != EOK) {
         DEBUG(1, ("Failed to initialize failover service!\n"));
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index 4ed6aaff..9be6a0f6 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -31,6 +31,7 @@
 
 struct dp_option default_basic_opts[] = {
     { "ldap_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ldap_backup_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_default_bind_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_default_authtok_type", DP_OPT_STRING, { "password" }, NULL_STRING},
@@ -89,6 +90,7 @@ struct dp_option default_basic_opts[] = {
     { "ldap_account_expire_policy", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_access_order", DP_OPT_STRING, { "filter" }, NULL_STRING },
     { "ldap_chpass_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ldap_chpass_backup_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_chpass_dns_service_name", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_chpass_update_last_change", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 4ca755e3..70b4e6ad 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -150,6 +150,7 @@ enum sdap_result {
 
 enum sdap_basic_opt {
     SDAP_URI = 0,
+    SDAP_BACKUP_URI,
     SDAP_SEARCH_BASE,
     SDAP_DEFAULT_BIND_DN,
     SDAP_DEFAULT_AUTHTOK_TYPE,
@@ -207,6 +208,7 @@ enum sdap_basic_opt {
     SDAP_ACCOUNT_EXPIRE_POLICY,
     SDAP_ACCESS_ORDER,
     SDAP_CHPASS_URI,
+    SDAP_CHPASS_BACKUP_URI,
     SDAP_CHPASS_DNS_SERVICE_NAME,
     SDAP_CHPASS_UPDATE_LAST_CHANGE,
     SDAP_ENUM_SEARCH_TIMEOUT,