Skip to content

Use DNS SRV records in case of multiple LDAP backends. #248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
avivgt opened this issue Oct 15, 2018 · 2 comments
Closed

Use DNS SRV records in case of multiple LDAP backends. #248

avivgt opened this issue Oct 15, 2018 · 2 comments

Comments

@avivgt
Copy link

avivgt commented Oct 15, 2018

Description of the problem:
We are using multiple LDAP servers. A problem that arises is that all connections go to the server first LDAP server.
In order to avoid that, we want to use DNS SRV records with both servers, but the Python module responsible for the LDAP connection does not seem to support LDAP-URLs regarding RFC 4516[1].

When using ldapsearch to verify that the URL is well formed, it works as expected:

[root@ospd-stage ~]# ldapsearch -H ldaps:///dc%3Dbioquant%2Cdc%3Duni%2Dheidelberg%2Cdc%3Dde -x -b ou=people,DC=bioquant,DC=uni-heidelberg,DC=de| head # extended LDIF # # LDAPv3 # base <ou=people,DC=bioquant,DC=uni-heidelberg,DC=de> with scope subtree # filter: (objectclass=*) # requesting: ALL #

# People, bioquant.uni-heidelberg.de
dn: ou=People, dc=bioquant,dc=uni-heidelberg,dc=de

If we try the same syntax for the URL in the keystone/domains/*conf, the module tries to connect to that URL directly.
It fails , instead of asking the DNS for A (or AAAA) records for _ldap._tcp.bioquant.uni-heidelberg.de:

2017-06-22 08:58:05.075 1011689 DEBUG keystone.identity.backends.ldap.common [req-7fb247ef-bb65-4f9c-b957-1e3f4385950c 3aa594d0861241e2a95c542c7685a650 4ffe91483fe34912957e54b63507f36d - default default] LDAP init: url=ldaps:///dc%3Dbioquant%2Cdc%3Duni-heidelberg%2Cdc%3Dde _common_ldap_initialization /usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py:574

2017-06-22 08:58:05.076 1011689 DEBUG keystone.identity.backends.ldap.common [req-7fb247ef-bb65-4f9c-b957-1e3f4385950c 3aa594d0861241e2a95c542c7685a650 4ffe91483fe34912957e54b63507f36d - default default] LDAP init: use_tls=False tls_cacertfile=/etc/pki/ldap/ca.crt tls_cacertdir=None tls_req_cert=2 tls_avail=1 _common_ldap_initialization /usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py:578

Version-Release number of selected component (if applicable):

  • python-ldap-python-ldap-2.4.15-2.
  • OpenStack Keystone

[1] https://tools.ietf.org/html/rfc4516
@tiran
Copy link
Member

tiran commented Oct 15, 2018

python-ldap is just a thin wrapper around OpenLDAP's libldap. libldap doesn't support SRV record lookups. I'd rather not implement a solution in python-ldap directly. Therefore I see two possible solutions for the problem:

  1. Make a feature request on the OpenLDAP tracker and request to add a SRV lookup feature to libldap directly. That way, other consumers of libldap also benefit from a solution.
  2. Add a custom solution on top of python-ldap. You can pass in multiple LDAP URIs and libldap will pick one server from the list of URIs. In theory you should be able to construct a list of URIs from a list of resolved, sorted SRV records. In praxis I don't know in which order libldap opens connections.

Also see #178

@avivgt
Copy link
Author

avivgt commented Oct 15, 2018

Thanks tiran,
I'll issue a feature request.

@avivgt avivgt closed this as completed Oct 15, 2018
@dpgaspar dpgaspar mentioned this issue Sep 19, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tiran @avivgt