← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #60419

[Bug 1636950] Re: Set network connection timeout on Keystone Identity's LDAP backend to prevent stall on bind

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/390948
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2d239cfbc37573f245e6560b42117828b73d19b9
Submitter: Jenkins
Branch:    master

commit 2d239cfbc37573f245e6560b42117828b73d19b9
Author: Kam Nasim <kam.nasim@xxxxxxxxxxxxx>
Date:   Wed Jan 11 18:55:40 2017 +0000

    Set connection timeout for LDAP configuration
    
    Presently the Identity LDAP driver does not set a connection timeout
    option which has the disadvantage of causing the Identity LDAP backend
    handler to stall indefinitely (or until TCP timeout) on LDAP bind, if
    a) the LDAP URL is incorrect, or b) there is a connection failure/link
    loss.
    
    This commit add a new option to set the LDAP connection timeout to
    set a new OPT_NETWORK_TIMEOUT option on the LDAP object. This will
    raise ldap.SERVER_DOWN exceptions on timeout.
    
    Signed-off-by: Kam Nasim <kam.nasim@xxxxxxxxxxxxx>
    
    Closes-Bug: #1636950
    Change-Id: I574e6368169ad60bef2cc990d2d410a638d1b770


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1636950

Title:
  Set network connection timeout on Keystone Identity's LDAP backend to
  prevent stall on bind

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  In our Mitaka deployment when setting up the Identity driver to use an
  external LDAP backend, if the URL of the LDAP server is incorrect or
  there is a network connectivity issue, it is seen that the ldap driver
  would stall indefinately (or until TCP timeout).

  This effects both LDAP connection pools and SimpleLDAP

  The LDAP configuration stanza (keystone.conf) provides a
  "pool_connection_timeout" option however this is not used anywhere
  within the LDAP driver.

  We have employed a fix downstream in our deployment which is to use
  this pool_connection_timeout value and set it as
  ldap.OPT_NETWORK_TIMEOUT so that the LDAP connection times out at the
  prescribed value without stalling indefinitely at the LDAP bind.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1636950/+subscriptions

References

  Thread PreviousDate PreviousThread Next