Red Hat Bugzilla – Bug 1283798
sssd failover does not work on connecting to non-responsive ldaps:// server
Last modified: 2017-11-13 16:26:30 EST
Description of problem:
- SSSD should be able to detect when the LDAP service on a host goes down (process dies or becomes unresponsive)
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Connect SSSD to two LDAP URI
2. Stop the LDAP process on the connected server
- SSSD fails to failover to backup LDAP URI
- SSSD fails over to second LDAP server
I corrected the title to make it clear this only happens with ldaps://
The SSSD-side fix is available, but there is still some strange behaviour within OpenLDAP that needs to be investigated.
btw an easy workaround might be to use StartTLS instead of ldaps://. Please note that SSSD will also automatically try TLS for authentication -- cleartext auth is never permitted with SSSD.
Update: I verified the same happens also when openldap-libs is compiled against OpenSSL, so as a next step, I involved the OpenLDAP maintainer to see if this might be an issue in the openldap-libs TLS manipulation.
I'm afraid I need to cond-nak this bug until the dependency bug in openldap-libs (#1310069) is fixed.
Since this bug depends on bugzilla #1310069 which is still not fixed, I need to move the flags to track rhel-6.10, sorry..
Since this bug depends on a fix for openldap which is not even ready for RHEL-7 and RHEL-6 is already in Production phase 3, I'm closing this bug report as CANTFIX.