← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #39324

[Bug 1500631] [NEW] ldap url option actually supports multiple URIs

  Thread PreviousDate PreviousThread Next 
Public bug reported:

The help text for the ldap.url config option states: "URL for connecting
to the LDAP server."  This implies only one URL can be specified.  But
actually, multiple may be specified due to the python-ldap module being
used.

The python-ldap module is basically a wrapper for the openldap client
library.  And if you look into the source, ldap.initialize() calls
ldap_initialize() which supports multiple URIs in the URI string.  And
is easily found in the man page for ldap_initialize:

ldap_initialize()  acts like ldap_init(), but it returns an integer indicating either suc‐
 cess or the failure reason, and it allows to specify details for  the  connection  in  the
 schema portion of the URI.  The uri parameter may be a comma- or whitespace-separated list
 of URIs containing only the schema, the host, and the port fields. .....

So I did try comma separated ldap URLs in keystone, which worked as I
would expect.  It attempts connections with the first host and tries the
next if it fails to bind.  My simple example using python-ldap where
there is no ldap server at localhost, but there is at ldaps.company.com

l = ldap.initialize('ldap://localhost:389,ldaps://ldaps.company.com:636')
 l.simple_bind_s()
(97, [], 1, [])

The same works in keystone, so the keystone config help should be
updated to show this is actually a supported option.  Its very useful
for deployers using AD where there is commonly redundancy using many
domain controllers behind that one domain.

Note: the whitespace-separated list did not work for me, only comma.

** Affects: keystone
     Importance: Low
     Assignee: Eric Brown (ericwb)
         Status: In Progress


** Tags: ldap

** Tags added: ldap

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1500631

Title:
  ldap url option actually supports multiple URIs

Status in Keystone:
  In Progress

Bug description:
  The help text for the ldap.url config option states: "URL for
  connecting to the LDAP server."  This implies only one URL can be
  specified.  But actually, multiple may be specified due to the python-
  ldap module being used.

  The python-ldap module is basically a wrapper for the openldap client
  library.  And if you look into the source, ldap.initialize() calls
  ldap_initialize() which supports multiple URIs in the URI string.  And
  is easily found in the man page for ldap_initialize:

  ldap_initialize()  acts like ldap_init(), but it returns an integer indicating either suc‐
   cess or the failure reason, and it allows to specify details for  the  connection  in  the
   schema portion of the URI.  The uri parameter may be a comma- or whitespace-separated list
   of URIs containing only the schema, the host, and the port fields. .....

  So I did try comma separated ldap URLs in keystone, which worked as I
  would expect.  It attempts connections with the first host and tries
  the next if it fails to bind.  My simple example using python-ldap
  where there is no ldap server at localhost, but there is at
  ldaps.company.com

  l = ldap.initialize('ldap://localhost:389,ldaps://ldaps.company.com:636')
   l.simple_bind_s()
  (97, [], 1, [])

  The same works in keystone, so the keystone config help should be
  updated to show this is actually a supported option.  Its very useful
  for deployers using AD where there is commonly redundancy using many
  domain controllers behind that one domain.

  Note: the whitespace-separated list did not work for me, only comma.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1500631/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next