ldap failover... failing?
dajr...@gmail.com
Hi there, I have run into an issue where a useridresolver configured with two LDAP sources will only use the first. So, when the first one goes offline, it isn't marked as bad, auth against the LinOTP instance starts failing until I switch the LDAP hosts.
In other words, Server-URI is set like this:
ldaps://ldap1.example.com,ldaps://ldap2.example.com
When ldap1.example.com is disconnected from the network, linOTP auth fails, and the following appears in /var/log/linotp/linotp.log, for every auth attempt.
2016/01/21 - 20:43:34 ERROR {139821258422016} [useridresolver.LDAPIdResolver][bind #391] [bind] LDAP error: SERVER_DOWN({'desc': "Can't contact LDAP server"},)
2016/01/21 - 20:43:34 ERROR {139821258422016} [useridresolver.LDAPIdResolver][bind #392] [bind] LDAPURI : u'ldaps://ldap1.example.com'
2016/01/21 - 20:43:34 ERROR {139821258422016} [useridresolver.LDAPIdResolver][bind #393] [bind] Traceback (most recent call last):
File "/opt/LINOTP/lib/python2.6/site-packages/useridresolver/LDAPIdResolver.py", line 382, in bind
l_obj.simple_bind_s(dn_encode, pw_encode)
File "/opt/LINOTP/lib/python2.6/site-packages/ldap/ldapobject.py", line 214, in simple_bind_s
msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
File "/opt/LINOTP/lib/python2.6/site-packages/ldap/ldapobject.py", line 208, in simple_bind
return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
File "/opt/LINOTP/lib/python2.6/site-packages/ldap/ldapobject.py", line 106, in _ldap_call
result = func(*args,**kwargs)
SERVER_DOWN: {'desc': "Can't contact LDAP server"}
Switching the order of the LDAP hosts in Server-URI resolves the problem immediately (as does ldap1 coming back online.
ldap1 and ldap2 are mirrors of each other and have exactly the same data.
Version is LinOTP 2.7.2;
Anyone run into this? Any suggestions?
Thanks in advance,
D.
Nicolas Videla
urilist = self.ldapuri.split(',')
if self.lobj is None:
for uri in urilist:
try:
log.debug("[bind] LDAP: Try to bind to %s", uri)
l_obj = ldap.initialize(uri, trace_level=0)
l_obj.simple_bind_s(binddn, bindpw)
self.lobj = l_obj
break
except ldap.LDAPError as e:
log.exception("[bind] LDAP error: %r" % e)
log.error("[bind] LDAPURI : %r" % uri)
raise Exception(e) # <---- Here is the error!!!!!!
return self.lobj
As you can see in the code above, there is a raise Exception(e), because this is a test function to test ldap connectivity it's ok to get this exception. The snippet function for production environment has no Exception and the failover works ok (tested myself).
sudo nano /usr/lib/pymodules/python2.7/linotp/tests/functional/test_ldap.py
...
except ldap.LDAPError as e:
log.exception("[bind] LDAP error: %r" % e)
log.error("[bind] LDAPURI : %r" % uri)
# raise Exception(e)
...-Now restart apache2
sudo service apache2 restartNow it should work, kein Problem!
Nicolas Videla
dajr...@gmail.com
Hi Nicolás, thanks for the detailed response.
So, is is true that if I comment out that line, then the failover will work and authentication will stop failing? (It was definitely failing, we got a lot of phone calls because of it.)
I apologize if it seems like I'm asking the same question again, I just want to be sure I'm understanding properly.
Thanks!
D.