Bug 692817

Summary: nslcd does not fallback to additional LDAP servers
Product: Red Hat Enterprise Linux 6 Reporter: J.H.M. Dassen (Ray) <rdassen>
Component: nss-pam-ldapdAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: clasohm, dpal, gergnz, omoris, prc, rbinkhor, syamazak
Target Milestone: rcKeywords: Patch, Upstream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nss-pam-ldapd-0.7.5-6.el6 Doc Type: Bug Fix
Doc Text:
When nslcd was configured to use multiple LDAP servers, it failed to fall back to a different server in case the primary server could not be reached. This was due to nslcd trying to keep the first connection alive even when the connection was dropped. With this update, nslcd correctly falls back to a different server after loosing connection with the current one.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 14:30:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 627601    
Attachments:
Description Flags
Proposed patch none

Description J.H.M. Dassen (Ray) 2011-04-01 09:55:02 UTC 
Description of problem:
Customer is being hit by this bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=596983

(author of nss-pam-ldapd fixed in in 0.7.10, RHEL6 uses 0.7.5)

As they are using LDAP to distribute user information to their computing
nodes, this bug is quite critical for them: if the first LDAP server becomes
unreachable they loose all LDAP access from client. (The only workaround
being to restart nslcd on the system - it will fallback at the bind time).

Version-Release number of selected component (if applicable):
nss-pam-ldapd-0.7.5-3.el6

How reproducible:
100%

Steps to Reproduce:
1. Configure nslcd to use more than one LDAP server
2. Use iptables to drop connections to the first configured LDAP server
  
Actual results:
nslcd continues to attempt to connect to the first configured LDAP server.

Expected results:
nslcd falls over to using a different LDAP server than the first configured
one.
Comment 1 J.H.M. Dassen (Ray) 2011-04-01 10:00:28 UTC 
Created attachment 489343 [details]
Proposed patch

Relevant bit from diff between the upstream changelogs for 0.7.9 and 0.7.10:
+       * [r1211] ., nslcd/myldap.c: handle errors from ldap_result()
+         better and disconnect (and reconnect) in more cases (r1207 and
+         r1208 from trunk)

As such, the proposed patch is the combination of
<http://arthurdejong.org/viewvc/nss-pam-ldapd?view=revision&revision=1207> and
<http://arthurdejong.org/viewvc/nss-pam-ldapd?view=revision&revision=1208>.
Comment 2 Dmitri Pal 2011-04-01 14:12:34 UTC 
Have they looked at SSSD?
Comment 9 Greg Cockburn 2011-04-12 22:59:03 UTC 
We are in the same boat.

What is the timeline to have this fix available?
Comment 17 Martin Prpič 2011-04-28 08:25:50 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When nslcd was configured to use multiple LDAP servers, it failed to fall back to a different server in case the primary server could not be reached. This was due to nslcd trying to keep the first connection alive even when the connection was dropped. With this update, nslcd correctly falls back to a different server after loosing connection with the current one.
Comment 18 errata-xmlrpc 2011-05-19 14:30:05 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0796.html