Issue 7036 - ldapsearch should attempt DNS-based fallback if possible
Summary: ldapsearch should attempt DNS-based fallback if possible
Status: VERIFIED DUPLICATE of issue 7152
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: documentation (show other issues)
Version: unspecified
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: Howard Chu
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-09-07 12:22 UTC by seanius@seanius.net
Modified: 2021-02-26 23:41 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description seanius@seanius.net 2011-09-07 12:22:24 UTC 
Full_Name: Sean Finney
Version: 2.4.21-0ubuntu5.5
OS: Ubuntu Lucid
URL: 
Submission from: (NULL) (213.115.10.98)


We have an ldap.conf with

 URI         ldap://corp.net

where corp.net resolves to a list of about 20 round-robin balanced A records,
all of which are windows-based domain controllers for the site.  Recently, a
hiccup in change control ended up with 3 of these servers being offline but
remaining in DNS.

Therefore, with about 3/20 probability ldapsearch and friends will just sit and
hang waiting for packets to return from the void until the TCP/IP RTT timeout is
reached.

It would be nice if ldapsearch could, either by default or as an option, have
some way of iteratively trying all of the returned DNS records in the face of
such failure (which could also be from some form of network hiccup, or a crashed
server).  Bonus points if it could somehow be pre-emptive (i.e. not waiting for
the entire TCP/IP RTT timeout before trying another server).

Of course another alternative would be for us to duplicate the information from
DNS into multiple servers listed in URI, but that seems... duplicative.   But in
any event I did a quick search of the issue system and didn't see a documented
position on the matter so I figured I could at least post this and see what you
think :)
Comment 1 ando@openldap.org 2011-09-07 12:51:11 UTC 
As far as I understand from the code, libldap already behaves like that, i.e. it
loops through all the hosts returned by getaddrinfo(3).  What's missing (in your
configuration of ldapsearch) is a network timeout parameter.  Right now, you can
set it either using NETWORK_TIMEOUT in ldap.conf(5) or passing the command-line
switch -o nettimeout=<timeout>.  I understand the latter is not documented in
ldapsearch(1), although it appears in the usage message of all tools.

As I'd consider this issue a software usage question rather than a bug (except
for the missing documentation), I encourage you to continue discussion on the
openldap-technical mailing list.

p.
Comment 2 ando@openldap.org 2011-09-07 12:51:32 UTC 
changed notes
moved from Incoming to Documentation
Comment 3 seanius@seanius.net 2011-09-07 13:10:46 UTC 
On Wed, Sep 07, 2011 at 12:51:10PM +0000, Pierangelo Masarati wrote:
> As far as I understand from the code, libldap already behaves like that, i.e. it
> loops through all the hosts returned by getaddrinfo(3).  What's missing (in your
> configuration of ldapsearch) is a network timeout parameter.  Right now, you can
> set it either using NETWORK_TIMEOUT in ldap.conf(5) or passing the command-line
> switch -o nettimeout=<timeout>.  I understand the latter is not documented in
> ldapsearch(1), although it appears in the usage message of all tools.

wonderful, confirmed that it works.  so then yes, just a minor 
omission from the documentation :)


	sean
Comment 4 OpenLDAP project 2014-08-01 21:04:11 UTC 
software use; `-o' undocumented
Comment 5 Howard Chu 2021-02-15 14:15:22 UTC 
fixed by #7152

*** This issue has been marked as a duplicate of issue 7152 ***