Bug 1298769
Summary: | RFE: multiple LDAP /Active Directory back-end connection servers for redundancy | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Faiaz Ahmed <fahmed> |
Component: | openstack-keystone | Assignee: | John Dennis <jdennis> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | nlevinki <nlevinki> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.0 (Juno) | CC: | ayoung, jdennis, mlopes, nkinder, yeylon |
Target Milestone: | --- | Keywords: | FutureFeature, ZStream |
Target Release: | 8.0 (Liberty) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-04-15 17:49:14 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Faiaz Ahmed
2016-01-15 01:03:52 UTC
Came across upstream and seems promising. https://bugs.launchpad.net/keystone/+bug/1500631 ~~~ So I did try comma separated ldap URLs in keystone, which worked as I would expect. It attempts connections with the first host and tries the next if it fails to bind. My simple example using python-ldap where there is no ldap server at localhost, but there is at ldaps.company.com l = ldap.initialize('ldap://localhost:389,ldaps://ldaps.company.com:636') l.simple_bind_s() (97, [], 1, []) The same works in keystone, so the keystone config help should be updated to show this is actually a supported option. Its very useful for deployers using AD where there is commonly redundancy using many domain controllers behind that one domain. Note: the whitespace-separated list did not work for me, only comma. ~~~ This appears to be working in my osp7 lab with keystone v3 [1]. For example, the first entry in keystone.LAB.conf uses a deliberately incorrect port: ---- url = ldap://idm.lab.local:633,ldaps://idm.lab.local ---- I can see traffic hit port 633 before a successful result is returned: ---- idm.lab.local# tcpdump port 633 -v -i eth0 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:47:54.602196 IP (tos 0x0, ttl 64, id 15735, offset 0, flags [DF], proto TCP (6), length 60) 192.168.122.41.36841 > idm.lab.local.servstat: Flags [S], cksum 0x75ee (incorrect -> 0xa080), seq 4022766859, win 29200, options [mss 1460,sackOK,TS val 4294815868 ecr 0,nop,wscale 7], length 0 ---- ---- controller# openstack user list --domain LAB +------------------------------------------------------------------+----------+ | ID | Name | +------------------------------------------------------------------+----------+ | 27b518e63fd3fcc722027f1081fa5ba656e38cb193ce8c0af34725ae7473a8f0 | svc-ldap | | a9f7bd2dacbebb4dc3fe10207252fb422c48a27cfaec5aaefaf5588592f898be | uuser1 | +------------------------------------------------------------------+----------+ ---- [1] Setup according to this guide: https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/version-7/integrate-with-identity-service/#sec-idm I just tested with master and replica IPA and its working good. here is my conf ~~~~~~~~~~~ [ldap] url = ldaps://ipb.test.com,ldaps://ipa.test.com user = uid=svc-ldap,cn=users,cn=accounts,dc=umuzumu,dc=com user_filter = (memberOf=cn=grp-openstack,cn=groups,cn=accounts,dc=umuzumu,dc=com) password = redhat user_tree_dn = cn=users,cn=accounts,dc=umuzumu,dc=com user_objectclass = inetUser user_id_attribute = uid user_name_attribute = uid user_mail_attribute = mail user_pass_attribute = user_allow_create = False user_allow_update = False user_allow_delete = False [identity] driver = keystone.identity.backends.ldap.Identity ~~~~~~~~~~~ In case of any failure or first one, it goes to the second one. Martin has already worked on changes to add this to the documentation. Do we also want to see if we can add a helpful comment or example to the default keystone.conf? That seems like something worth proposing upstream. Steps are now live on the customer portal: https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/7/integrate-with-identity-service/chapter-1-active-directory-integration#AD-HA Filed upstream bug to document better. |