yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1636950] [NEW] Set network connection timeout on Keystone Identity's LDAP backend to prevent stall on bind

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Kam Nasim <1636950@xxxxxxxxxxxxxxxxxx>
Date: Wed, 26 Oct 2016 18:05:52 -0000
Reply-to: Bug 1636950 <1636950@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

In our Mitaka deployment when setting up the Identity driver to use an
external LDAP backend, if the URL of the LDAP server is incorrect or
there is a network connectivity issue, it is seen that the ldap driver
would stall indefinately (or until TCP timeout).

This effects both LDAP connection pools and SimpleLDAP

The LDAP configuration stanza (keystone.conf) provides a
"pool_connection_timeout" option however this is not used anywhere
within the LDAP driver.

We have employed a fix downstream in our deployment which is to use this
pool_connection_timeout value and set it as ldap.OPT_NETWORK_TIMEOUT so
that the LDAP connection times out at the prescribed value without
stalling indefinitely at the LDAP bind.

** Affects: keystone
     Importance: Undecided
     Assignee: Kam Nasim (knasim-wrs)
         Status: New

** Changed in: keystone
     Assignee: (unassigned) => Kam Nasim (knasim-wrs)

** Description changed:

- In our deployment when setting up the Identity driver to use an external
- LDAP backend, if the URL of the LDAP server is incorrect or there is a
- network connectivity issue, it is seen that the ldap driver would stall
- indefinately (or until TCP timeout).
+ In our Mitaka deployment when setting up the Identity driver to use an
+ external LDAP backend, if the URL of the LDAP server is incorrect or
+ there is a network connectivity issue, it is seen that the ldap driver
+ would stall indefinately (or until TCP timeout).
  
  This effects both LDAP connection pools and SimpleLDAP
  
  The LDAP configuration stanza (keystone.conf) provides a
  "pool_connection_timeout" option however this is not used anywhere
  within the LDAP driver.
  
  We have employed a fix downstream in our deployment which is to use this
  pool_connection_timeout value and set it as ldap.OPT_NETWORK_TIMEOUT so
  that the LDAP connection times out at the prescribed value without
  stalling indefinitely at the LDAP bind.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1636950

Title:
  Set network connection timeout on Keystone Identity's LDAP backend to
  prevent stall on bind

Status in OpenStack Identity (keystone):
  New

Bug description:
  In our Mitaka deployment when setting up the Identity driver to use an
  external LDAP backend, if the URL of the LDAP server is incorrect or
  there is a network connectivity issue, it is seen that the ldap driver
  would stall indefinately (or until TCP timeout).

  This effects both LDAP connection pools and SimpleLDAP

  The LDAP configuration stanza (keystone.conf) provides a
  "pool_connection_timeout" option however this is not used anywhere
  within the LDAP driver.

  We have employed a fix downstream in our deployment which is to use
  this pool_connection_timeout value and set it as
  ldap.OPT_NETWORK_TIMEOUT so that the LDAP connection times out at the
  prescribed value without stalling indefinitely at the LDAP bind.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1636950/+subscriptions

Follow ups

[Bug 1636950] Re: Set network connection timeout on Keystone Identity's LDAP backend to prevent stall on bind
From: OpenStack Infra, 2017-01-12