Hide Forgot
Actual Problem ================ while a list of LDAP servers is possible there isn't a built-in timeout mechanism in Keystone to failover to the next LDAP server in the list if there is no response. Try setting your first LDAP server in the list to a server which will not respond on 636 i.e. behind a firewall that silently drops packets. What you will find is Keystone will hang waiting for a connection timeout and keystone authentication will timeout. ================ Replicated the issue and here is the result ++++++++++++++++++++++++++++++++++++++++++++++ My keystone auth config for the domain /etc/keystone/domains/keystone.LAB.conf ~~~~~~~~~~~ [ldap] url = ldaps://ipb.test.com,ldaps://ipa.test.com user = uid=svc-ldap,cn=users,cn=accounts,dc=test,dc=com user_filter = (memberOf=cn=grp-openstack,cn=groups,cn=accounts,dc=test,dc=com) password = redhat user_tree_dn = cn=users,cn=accounts,dc=test,dc=com ~~~~~~~~~~~ Both of the ldap server are IPA When it works and goes to ldaps://ipa.test.com - When we stop IPA service on ipb.test.com - When we shutdown the ldap/ldaps port on ipb.test.com When it do not work - Drop the packet like # ipatables -I INPUT -s OSP-Controller -j DROP - Network stop responding ** But its work well when it " Destination Host Unreachable" (Manually delete the arp from the table) ======================================= The configuration of ldap redundancy been configured through https://bugzilla.redhat.com/show_bug.cgi?id=1298769
Upstream bug created https://bugs.launchpad.net/keystoneauth/+bug/1544821
Looks like upstream has rejected the approach. I have to agree that Proxy is a better solution. Is this required by a specific deployment?
It uses the /etc/openldap/ldap.conf file underlying. After adding the NETWORK_TIMEOUT, its solved the problem.
Added note describing this behaviour to the relevant kbase article: https://access.redhat.com/articles/1193253