Bug 1283798 - sssd failover does not work on connecting to non-responsive ldaps:// server
sssd failover does not work on connecting to non-responsive ldaps:// server
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.7
x86_64 Linux
high Severity high
: pre-dev-freeze
: 7.7
Assigned To: Jakub Hrozek
Namita Soman
: Reopened
Depends On: 1310069
Blocks: 1269194 1461138
  Show dependency treegraph
 
Reported: 2015-11-19 17:43 EST by Striker Leggette
Modified: 2018-06-22 23:05 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-11-13 16:26:30 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Striker Leggette 2015-11-19 17:43:45 EST
Description of problem:
 - SSSD should be able to detect when the LDAP service on a host goes down (process dies or becomes unresponsive)

Version-Release number of selected component (if applicable):


How reproducible:
 - Always

Steps to Reproduce:
1. Connect SSSD to two LDAP URI
2. Stop the LDAP process on the connected server
3. 

Actual results:
 - SSSD fails to failover to backup LDAP URI

Expected results:
 - SSSD fails over to second LDAP server

Additional info:
Comment 3 Jakub Hrozek 2015-11-20 04:34:16 EST
I corrected the title to make it clear this only happens with ldaps://

The SSSD-side fix is available, but there is still some strange behaviour within OpenLDAP that needs to be investigated.
Comment 4 Jakub Hrozek 2015-11-20 04:49:37 EST
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2878
Comment 5 Jakub Hrozek 2015-11-20 04:51:12 EST
btw an easy workaround might be to use StartTLS instead of ldaps://. Please note that SSSD will also automatically try TLS for authentication -- cleartext auth is never permitted with SSSD.
Comment 6 Jakub Hrozek 2015-12-02 04:09:50 EST
Update: I verified the same happens also when openldap-libs is compiled against OpenSSL, so as a next step, I involved the OpenLDAP maintainer to see if this might be an issue in the openldap-libs TLS manipulation.
Comment 10 Jakub Hrozek 2016-08-10 09:12:44 EDT
I'm afraid I need to cond-nak this bug until the dependency bug in openldap-libs (#1310069) is fixed.
Comment 11 Jakub Hrozek 2016-11-02 07:22:09 EDT
Since this bug depends on bugzilla #1310069 which is still not fixed, I need to move the flags to track rhel-6.10, sorry..
Comment 13 Jakub Hrozek 2017-11-13 16:26:30 EST
Since this bug depends on a fix for openldap which is not even ready for RHEL-7 and RHEL-6 is already in Production phase 3, I'm closing this bug report as CANTFIX.
Comment 14 Paul Raines 2018-03-02 08:23:28 EST
I had this happen to me last night.  This is a highly critical bug for sssd to not be able to failover.  I cannot believe it has been 2 years with no fix.  The only workaround for now is to use insecure ldap instead of ldaps?   sssd does not even recover once the primary LDAP server is back online.  One has to manually restart sssd on the client.

Did not affect all clients.  On most I would see the error:

sssd[be[default]]: Could not start TLS encryption. TLS
error -5938:Encountered end of file

but LDAP lookups still worked to the backup server.  Maybe only ones in the middle of a lookup when the server went down got stuck.

I only had CentOS7 clients be affected too.
Comment 15 Jakub Hrozek 2018-03-02 09:58:34 EST
(In reply to Paul Raines from comment #14)
> I had this happen to me last night.  This is a highly critical bug for sssd
> to not be able to failover.  I cannot believe it has been 2 years with no
> fix.  The only workaround for now is to use insecure ldap instead of ldaps? 

StartTLS does not suffer from this issue. Only ldaps://

> sssd does not even recover once the primary LDAP server is back online.  One
> has to manually restart sssd on the client.
> 
> Did not affect all clients.  On most I would see the error:
> 
> sssd[be[default]]: Could not start TLS encryption. TLS
> error -5938:Encountered end of file
> 
> but LDAP lookups still worked to the backup server.  Maybe only ones in the
> middle of a lookup when the server went down got stuck.
> 
> I only had CentOS7 clients be affected too.

Since this bugzilla was filed against RHEL-6 where we definitely won't be addressing the issue, I would recommend to track the RHEL-7 version of the OpenLDAP bug, which is a dependency of fixing sssd: https://bugzilla.redhat.com/show_bug.cgi?id=1310069

Note You need to log in before you can comment on or make changes to this bug.