Bug 1469527
Summary: | [RFE] Use DNS SRV records for keystone V3 authentication | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Ganesh Kadam <gkadam> |
Component: | python-ldap | Assignee: | Aviv Guetta <aguetta> |
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.3 | CC: | aguetta, mbarnes, mkosek, nkinder, pkis, srevivo |
Target Milestone: | pre-dev-freeze | Keywords: | FutureFeature, Reopened |
Target Release: | 7.5 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-03-14 15:01:28 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1477664 |
Description
Ganesh Kadam
2017-07-11 12:36:15 UTC
Keystone uses python-ldap for it's LDAP implementation, and it just passes the URI straight through. The failover behavior that has been observed when a comma-separated list is passed is due to logic in python-ldap. There is no LDAP standard that I am aware of where a suffix used as a URI without a host/port is supposed to use SRV records. All that RFC 4516 says is the following: If no <host> is given, the client must have some a priori knowledge of an appropriate LDAP server to contact. I believe that this is just a handy convenience behavior offered by the OpenLDAP tools (and potentially from certain calls in the OpenLDAP library). This behavior would be nice to have in python-ldap as well. Since python-ldap is shipped as a part of RHEL, this bug should be moved to be an RFE for RHEL instead of RH-OSP. I am moving this to target RHEL so it can be evaluated as an RFE for a future RHEL release. Hi, Another kind follow-up for update on this BZ. Aviv This request needs to be moved upstream or it's going to continue languishing here since apparently python-ldap developers don't watch this space. https://github.com/python-ldap/python-ldap/issues I only maintain the RPM, I don't develop this software. Hi, I opened a new request to 'python-ldap' upstream[1]. Regards, Aviv [1] https://github.com/python-ldap/python-ldap/issues/248 Given that this proposal was rejected in both OpenLDAP upstream (kudos to Nathan Kinder for finding that link): https://mail.python.org/pipermail/python-ldap/2013q4/003298.html and also python-ldap upstream: https://github.com/python-ldap/python-ldap/issues/248 I do not think it makes sense keeping it in downstream as well. The ask would need to be solved in another way. Closing as WONTFIX. |