[Yahoo-eng-team] [Bug 1544821] Re: keyston: redundent ldap url do not got to failover one when firewall silently drops packets

Wed, 02 Mar 2016 00:02:58 -0800 

Eric, thank you for your insightful comment. I agree that this bug is
rather out of scope for keystone. The correct answer would be to use a
proxy. I will mark this bug as 'opinion' so we can further discuss it,
but it does not align with project plans.

** Changed in: keystone
       Status: New => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1544821

Title:
  keyston: redundent ldap url do not got to failover one when firewall
  silently drops packets

Status in OpenStack Identity (keystone):
  Opinion
Status in keystoneauth:
  Invalid

Bug description:
  Actual Problem
  ================
  while a list of LDAP servers is possible there isn't a built-in timeout 
mechanism in Keystone to failover to the next LDAP server in the list if there 
is no response.  Try setting your first LDAP server in the list to a server 
which will not respond on 636 i.e. behind a firewall that silently drops 
packets.  What you will find is Keystone will hang waiting for a connection 
timeout and keystone authentication will timeout.
  ================

  
  Replicated the issue and here is the result
  ++++++++++++++++++++++++++++++++++++++++++++++

  My keystone auth config for the domain
  /etc/keystone/domains/keystone.LAB.conf

  ~~~~~~~~~~~
  [ldap]
  url =  ldaps://ipb.test.com,ldaps://ipa.test.com
  user = uid=svc-ldap,cn=users,cn=accounts,dc=test,dc=com
  user_filter = (memberOf=cn=grp-openstack,cn=groups,cn=accounts,dc=test,dc=com)
  password = redhat
  user_tree_dn = cn=users,cn=accounts,dc=test,dc=com
  ~~~~~~~~~~~

  Both of the ldap server are IPA

  When it works and goes to ldaps://ipa.test.com

  - When we stop IPA service on ipb.test.com
  - When we shutdown the ldap/ldaps port on ipb.test.com

  When it do not work

  - Drop the packet like # ipatables -I INPUT -s OSP-Controller -j DROP

  - Network stop responding

  ** But its work well when it " Destination Host Unreachable" (Manually
  delete the arp from the table)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1544821/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to