yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1500631] Re: support multiple LDAP URIs

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1500631@xxxxxxxxxxxxxxxxxx>
Date: Mon, 08 Feb 2016 20:55:50 -0000
Reply-to: Bug 1500631 <1500631@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/228644
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9d3b676b1f17fb42fe92a421948ebaa597ba2d24
Submitter: Jenkins
Branch:    master

commit 9d3b676b1f17fb42fe92a421948ebaa597ba2d24
Author: Steve Martinelli <stevemar@xxxxxxxxxx>
Date:   Sun Feb 7 02:54:08 2016 -0500

    Support multiple URLs for LDAP server
    
    python-ldap calls out to openldap which can handle multiple URLs for
    ldap servers (for the purpose of high availability). openldap expects
    these urls to be separated by a comma or whitespace.
    
    Change the help text to specify a comma separated list of URLs is
    allowed.
    
    Change-Id: I523dcfc1701a6f7c725c4aa11482bfc15a3515a5
    Closes-Bug: #1500631


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1500631

Title:
  support multiple LDAP URIs

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  The help text for the ldap.url config option states: "URL for
  connecting to the LDAP server."  This implies only one URL can be
  specified.  But actually, multiple may be specified due to the python-
  ldap module being used.

  The python-ldap module is basically a wrapper for the openldap client
  library.  And if you look into the source, ldap.initialize() calls
  ldap_initialize() which supports multiple URIs in the URI string.  And
  is easily found in the man page for ldap_initialize:

  ldap_initialize()  acts like ldap_init(), but it returns an integer indicating either suc‐
   cess or the failure reason, and it allows to specify details for  the  connection  in  the
   schema portion of the URI.  The uri parameter may be a comma- or whitespace-separated list
   of URIs containing only the schema, the host, and the port fields. .....

  So I did try comma separated ldap URLs in keystone, which worked as I
  would expect.  It attempts connections with the first host and tries
  the next if it fails to bind.  My simple example using python-ldap
  where there is no ldap server at localhost, but there is at
  ldaps.company.com

  l = ldap.initialize('ldap://localhost:389,ldaps://ldaps.company.com:636')
   l.simple_bind_s()
  (97, [], 1, [])

  The same works in keystone, so the keystone config help should be
  updated to show this is actually a supported option.  Its very useful
  for deployers using AD where there is commonly redundancy using many
  domain controllers behind that one domain.

  Note: the whitespace-separated list did not work for me, only comma.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1500631/+subscriptions

References

[Bug 1500631] [NEW] ldap url option actually supports multiple URIs
From: Eric Brown, 2015-09-28