Bug 1298769 - RFE: multiple LDAP /Active Directory back-end connection servers for redundancy
RFE: multiple LDAP /Active Directory back-end connection servers for redund...
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone (Show other bugs)
6.0 (Juno)
Unspecified Unspecified
unspecified Severity medium
: ---
: 8.0 (Liberty)
Assigned To: John Dennis
: FutureFeature, ZStream
Depends On:
  Show dependency treegraph
Reported: 2016-01-14 20:03 EST by Faiaz Ahmed
Modified: 2016-04-26 11:52 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-04-15 13:49:14 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1500631 None None None 2016-01-14 20:09 EST
Launchpad 1571001 None None None 2016-04-15 13:49 EDT

  None (edit)
Description Faiaz Ahmed 2016-01-14 20:03:52 EST
When defining the URL for connecting to the LDAP server in the Keystone configuration, looking for a way to specify multiple LDAP servers for redundancy.  For example if an AD domain controller were not available, Keystone would try an alternate domain controller.

Current version  keystone v3 support multiple domain and type, but not multiple servers in same domain.
url =  ldaps://addc.lab.local:636
user = CN=svc-ldap,CN=Users,DC=lab,DC=local

Can we put mutiple server url in a same line? This is supported sssd / samba / many other authentication module.

Another question, in case of outage its mentioned in the doc that 

- The Identity Service will need to be restarted to add the AD DS back end.
- The Compute services on all nodes need to be restarted in order to switch over to keystone v3.

- Users will be unable to access the dashboard until their accounts have been created in AD DS. To reduce downtime, consider per-staging the AD DS accounts well in advance of this change. 


- Users will be unable to access the dashboard until their accounts have been created in IdM. To reduce downtime, consider pre-staging the IdM accounts well in advance of this change. 

I am not sure if this going to be addressed here or not, if the mutiple url supported in that case do we need reboot Identity Service in case of primary failed?
Comment 2 Faiaz Ahmed 2016-01-14 20:11:17 EST
Came across upstream and seems promising. 


So I did try comma separated ldap URLs in keystone, which worked as I would expect. It attempts connections with the first host and tries the next if it fails to bind. My simple example using python-ldap where there is no ldap server at localhost, but there is at ldaps.company.com

l = ldap.initialize('ldap://localhost:389,ldaps://ldaps.company.com:636')
(97, [], 1, [])

The same works in keystone, so the keystone config help should be updated to show this is actually a supported option. Its very useful for deployers using AD where there is commonly redundancy using many domain controllers behind that one domain.

Note: the whitespace-separated list did not work for me, only comma.
Comment 3 Martin Lopes 2016-01-14 23:58:55 EST
This appears to be working in my osp7 lab with keystone v3 [1].

For example, the first entry in keystone.LAB.conf uses a deliberately incorrect port:
url =  ldap://idm.lab.local:633,ldaps://idm.lab.local

I can see traffic hit port 633 before a successful result is returned:
idm.lab.local# tcpdump port 633 -v -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:47:54.602196 IP (tos 0x0, ttl 64, id 15735, offset 0, flags [DF], proto TCP (6), length 60) > idm.lab.local.servstat: Flags [S], cksum 0x75ee (incorrect -> 0xa080), seq 4022766859, win 29200, options [mss 1460,sackOK,TS val 4294815868 ecr 0,nop,wscale 7], length 0

controller# openstack user list --domain LAB
| ID                                                               | Name     |
| 27b518e63fd3fcc722027f1081fa5ba656e38cb193ce8c0af34725ae7473a8f0 | svc-ldap |
| a9f7bd2dacbebb4dc3fe10207252fb422c48a27cfaec5aaefaf5588592f898be | uuser1   |

[1] Setup according to this guide: https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/version-7/integrate-with-identity-service/#sec-idm
Comment 4 Faiaz Ahmed 2016-01-15 00:35:32 EST
I just tested with master and replica IPA and its working good.

here is my conf

url =  ldaps://ipb.test.com,ldaps://ipa.test.com
user = uid=svc-ldap,cn=users,cn=accounts,dc=umuzumu,dc=com
user_filter = (memberOf=cn=grp-openstack,cn=groups,cn=accounts,dc=umuzumu,dc=com)
password = redhat
user_tree_dn = cn=users,cn=accounts,dc=umuzumu,dc=com
user_objectclass = inetUser
user_id_attribute = uid
user_name_attribute = uid
user_mail_attribute = mail
user_pass_attribute =
user_allow_create = False
user_allow_update = False
user_allow_delete = False

driver = keystone.identity.backends.ldap.Identity

In case of any failure or first one, it goes to the second one.
Comment 6 Nathan Kinder 2016-01-15 12:00:49 EST
Martin has already worked on changes to add this to the documentation.  Do we also want to see if we can add a helpful comment or example to the default keystone.conf?  That seems like something worth proposing upstream.
Comment 8 Adam Young 2016-04-15 13:49:14 EDT
Filed upstream bug to document better.

Note You need to log in before you can comment on or make changes to this bug.