yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1544821] Re: keyston: redundent ldap url do not got to failover one when firewall silently drops packets

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Steve Martinelli <stevemar@xxxxxxxxxx>
Date: Wed, 02 Mar 2016 07:53:37 -0000
Reply-to: Bug 1544821 <1544821@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Eric, thank you for your insightful comment. I agree that this bug is
rather out of scope for keystone. The correct answer would be to use a
proxy. I will mark this bug as 'opinion' so we can further discuss it,
but it does not align with project plans.

** Changed in: keystone
       Status: New => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1544821

Title:
  keyston: redundent ldap url do not got to failover one when firewall
  silently drops packets

Status in OpenStack Identity (keystone):
  Opinion
Status in keystoneauth:
  Invalid

Bug description:
  Actual Problem
  ================
  while a list of LDAP servers is possible there isn't a built-in timeout mechanism in Keystone to failover to the next LDAP server in the list if there is no response.  Try setting your first LDAP server in the list to a server which will not respond on 636 i.e. behind a firewall that silently drops packets.  What you will find is Keystone will hang waiting for a connection timeout and keystone authentication will timeout.
  ================

  
  Replicated the issue and here is the result
  ++++++++++++++++++++++++++++++++++++++++++++++

  My keystone auth config for the domain
  /etc/keystone/domains/keystone.LAB.conf

  ~~~~~~~~~~~
  [ldap]
  url =  ldaps://ipb.test.com,ldaps://ipa.test.com
  user = uid=svc-ldap,cn=users,cn=accounts,dc=test,dc=com
  user_filter = (memberOf=cn=grp-openstack,cn=groups,cn=accounts,dc=test,dc=com)
  password = redhat
  user_tree_dn = cn=users,cn=accounts,dc=test,dc=com
  ~~~~~~~~~~~

  Both of the ldap server are IPA

  When it works and goes to ldaps://ipa.test.com

  - When we stop IPA service on ipb.test.com
  - When we shutdown the ldap/ldaps port on ipb.test.com

  When it do not work

  - Drop the packet like # ipatables -I INPUT -s OSP-Controller -j DROP

  - Network stop responding

  ** But its work well when it " Destination Host Unreachable" (Manually
  delete the arp from the table)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1544821/+subscriptions