Bug 1283798 - sssd failover does not work on connecting to non-responsive ldaps:// server
sssd failover does not work on connecting to non-responsive ldaps:// server
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
x86_64 Linux
high Severity high
: rc
: ---
Assigned To: Jakub Hrozek
Namita Soman
Depends On: 1310069
Blocks: 1269194 1461138
  Show dependency treegraph
Reported: 2015-11-19 17:43 EST by Striker Leggette
Modified: 2017-11-13 16:26 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-11-13 16:26:30 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Striker Leggette 2015-11-19 17:43:45 EST
Description of problem:
 - SSSD should be able to detect when the LDAP service on a host goes down (process dies or becomes unresponsive)

Version-Release number of selected component (if applicable):

How reproducible:
 - Always

Steps to Reproduce:
1. Connect SSSD to two LDAP URI
2. Stop the LDAP process on the connected server

Actual results:
 - SSSD fails to failover to backup LDAP URI

Expected results:
 - SSSD fails over to second LDAP server

Additional info:
Comment 3 Jakub Hrozek 2015-11-20 04:34:16 EST
I corrected the title to make it clear this only happens with ldaps://

The SSSD-side fix is available, but there is still some strange behaviour within OpenLDAP that needs to be investigated.
Comment 4 Jakub Hrozek 2015-11-20 04:49:37 EST
Upstream ticket:
Comment 5 Jakub Hrozek 2015-11-20 04:51:12 EST
btw an easy workaround might be to use StartTLS instead of ldaps://. Please note that SSSD will also automatically try TLS for authentication -- cleartext auth is never permitted with SSSD.
Comment 6 Jakub Hrozek 2015-12-02 04:09:50 EST
Update: I verified the same happens also when openldap-libs is compiled against OpenSSL, so as a next step, I involved the OpenLDAP maintainer to see if this might be an issue in the openldap-libs TLS manipulation.
Comment 10 Jakub Hrozek 2016-08-10 09:12:44 EDT
I'm afraid I need to cond-nak this bug until the dependency bug in openldap-libs (#1310069) is fixed.
Comment 11 Jakub Hrozek 2016-11-02 07:22:09 EDT
Since this bug depends on bugzilla #1310069 which is still not fixed, I need to move the flags to track rhel-6.10, sorry..
Comment 13 Jakub Hrozek 2017-11-13 16:26:30 EST
Since this bug depends on a fix for openldap which is not even ready for RHEL-7 and RHEL-6 is already in Production phase 3, I'm closing this bug report as CANTFIX.

Note You need to log in before you can comment on or make changes to this bug.