OpenStack Identity (keystone)

Set network connection timeout on Keystone Identity's LDAP backend to prevent stall on bind

Bug #1636950 reported by Kam Nasim on 2016-10-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Kam Nasim	OpenStack Identity (keystone) ocata-3 "o3"

Bug Description

In our Mitaka deployment when setting up the Identity driver to use an external LDAP backend, if the URL of the LDAP server is incorrect or there is a network connectivity issue, it is seen that the ldap driver would stall indefinately (or until TCP timeout).

This effects both LDAP connection pools and SimpleLDAP

The LDAP configuration stanza (keystone.conf) provides a "pool_connection_timeout" option however this is not used anywhere within the LDAP driver.

We have employed a fix downstream in our deployment which is to use this pool_connection_timeout value and set it as ldap.OPT_NETWORK_TIMEOUT so that the LDAP connection times out at the prescribed value without stalling indefinitely at the LDAP bind.

See original description

Tags:

Kam Nasim (knasim-wrs) on 2016-10-26

Changed in keystone:
assignee:	nobody → Kam Nasim (knasim-wrs)
description:	updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-10-26: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/390948

Changed in keystone:
status:	New → In Progress

Steve Martinelli (stevemar) on 2016-10-31

Changed in keystone:
importance:	Undecided → Medium
milestone:	none → ocata-1
tags:	added: ldap user-experience

Steve Martinelli (stevemar) on 2016-11-17

Changed in keystone:
milestone:	ocata-1 → ocata-2

Steve Martinelli (stevemar) on 2016-12-16

Changed in keystone:
milestone:	ocata-2 → ocata-3

OpenStack Infra (hudson-openstack) on 2017-01-09

Changed in keystone:
assignee:	Kam Nasim (knasim-wrs) → Steve Martinelli (stevemar)

OpenStack Infra (hudson-openstack) on 2017-01-11

Changed in keystone:
assignee:	Steve Martinelli (stevemar) → Kam Nasim (knasim-wrs)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-12: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/390948
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2d239cfbc37573f245e6560b42117828b73d19b9
Submitter: Jenkins
Branch: master

commit 2d239cfbc37573f245e6560b42117828b73d19b9
Author: Kam Nasim <email address hidden>
Date: Wed Jan 11 18:55:40 2017 +0000

Set connection timeout for LDAP configuration

    Presently the Identity LDAP driver does not set a connection timeout
    option which has the disadvantage of causing the Identity LDAP backend
    handler to stall indefinitely (or until TCP timeout) on LDAP bind, if
    a) the LDAP URL is incorrect, or b) there is a connection failure/link
    loss.

    This commit add a new option to set the LDAP connection timeout to
    set a new OPT_NETWORK_TIMEOUT option on the LDAP object. This will
    raise ldap.SERVER_DOWN exceptions on timeout.

Signed-off-by: Kam Nasim <email address hidden>

Closes-Bug: #1636950
Change-Id: I574e6368169ad60bef2cc990d2d410a638d1b770

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-26: Fix included in openstack/keystone 11.0.0.0b3

This issue was fixed in the openstack/keystone 11.0.0.0b3 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.