Reviewed: https://review.openstack.org/228644 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9d3b676b1f17fb42fe92a421948ebaa597ba2d24 Submitter: Jenkins Branch: master
commit 9d3b676b1f17fb42fe92a421948ebaa597ba2d24 Author: Steve Martinelli <[email protected]> Date: Sun Feb 7 02:54:08 2016 -0500 Support multiple URLs for LDAP server python-ldap calls out to openldap which can handle multiple URLs for ldap servers (for the purpose of high availability). openldap expects these urls to be separated by a comma or whitespace. Change the help text to specify a comma separated list of URLs is allowed. Change-Id: I523dcfc1701a6f7c725c4aa11482bfc15a3515a5 Closes-Bug: #1500631 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1500631 Title: support multiple LDAP URIs Status in OpenStack Identity (keystone): Fix Released Bug description: The help text for the ldap.url config option states: "URL for connecting to the LDAP server." This implies only one URL can be specified. But actually, multiple may be specified due to the python- ldap module being used. The python-ldap module is basically a wrapper for the openldap client library. And if you look into the source, ldap.initialize() calls ldap_initialize() which supports multiple URIs in the URI string. And is easily found in the man page for ldap_initialize: ldap_initialize() acts like ldap_init(), but it returns an integer indicating either suc‐ cess or the failure reason, and it allows to specify details for the connection in the schema portion of the URI. The uri parameter may be a comma- or whitespace-separated list of URIs containing only the schema, the host, and the port fields. ..... So I did try comma separated ldap URLs in keystone, which worked as I would expect. It attempts connections with the first host and tries the next if it fails to bind. My simple example using python-ldap where there is no ldap server at localhost, but there is at ldaps.company.com l = ldap.initialize('ldap://localhost:389,ldaps://ldaps.company.com:636') l.simple_bind_s() (97, [], 1, []) The same works in keystone, so the keystone config help should be updated to show this is actually a supported option. Its very useful for deployers using AD where there is commonly redundancy using many domain controllers behind that one domain. Note: the whitespace-separated list did not work for me, only comma. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1500631/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
