Bug 1306896

Summary: redundant ldap url do not got to fail-over one when firewall silently drops packets
Product: Red Hat OpenStack Reporter: Faiaz Ahmed <fahmed>
Component: openstack-keystoneAssignee: Adam Young <ayoung>
Status: CLOSED NOTABUG QA Contact: nlevinki <nlevinki>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.0 (Juno)CC: ayoung, fahmed, jdennis, mlopes, nkinder, vcojot, yeylon
Target Milestone: ---Keywords: ZStream
Target Release: 8.0 (Liberty)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-15 17:50:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Faiaz Ahmed 2016-02-12 03:50:14 UTC 
Actual Problem
================
while a list of LDAP servers is possible there isn't a built-in timeout mechanism in Keystone to failover to the next LDAP server in the list if there is no response.  Try setting your first LDAP server in the list to a server which will not respond on 636 i.e. behind a firewall that silently drops packets.  What you will find is Keystone will hang waiting for a connection timeout and keystone authentication will timeout.
================


Replicated the issue and here is the result
++++++++++++++++++++++++++++++++++++++++++++++

My keystone auth config for the domain /etc/keystone/domains/keystone.LAB.conf

~~~~~~~~~~~
[ldap]
url =  ldaps://ipb.test.com,ldaps://ipa.test.com
user = uid=svc-ldap,cn=users,cn=accounts,dc=test,dc=com
user_filter = (memberOf=cn=grp-openstack,cn=groups,cn=accounts,dc=test,dc=com)
password = redhat
user_tree_dn = cn=users,cn=accounts,dc=test,dc=com
~~~~~~~~~~~

Both of the ldap server are IPA

When it works and goes to ldaps://ipa.test.com

- When we stop IPA service on ipb.test.com
- When we shutdown the ldap/ldaps port on ipb.test.com

When it do not work

- Drop the packet like # ipatables -I INPUT -s OSP-Controller -j DROP

- Network stop responding 

** But its work well when it " Destination Host Unreachable" (Manually delete the arp from the table)

=======================================

The configuration of ldap redundancy been configured through 

https://bugzilla.redhat.com/show_bug.cgi?id=1298769
Comment 2 Faiaz Ahmed 2016-02-12 03:51:31 UTC 
Upstream bug created 

https://bugs.launchpad.net/keystoneauth/+bug/1544821
Comment 4 Adam Young 2016-03-28 21:54:23 UTC 
Looks like upstream has rejected the approach.  I have to agree that Proxy is a better solution.  Is this required by a specific deployment?
Comment 8 Faiaz Ahmed 2016-04-14 01:53:39 UTC 
It uses the /etc/openldap/ldap.conf file underlying.

After adding the NETWORK_TIMEOUT, its solved the problem.
Comment 11 Martin Lopes 2016-04-17 23:28:18 UTC 
Added note describing this behaviour to the relevant kbase article: https://access.redhat.com/articles/1193253