OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Documentation/7036
Full headers

From: seanius@seanius.net
Subject: ldapsearch should attempt DNS-based fallback if possible
Compose comment
Download message
State:
1 replies: 1
1 followups: 1

Major security issue: yes  no

Notes:

Notification:


Date: Wed, 07 Sep 2011 12:22:24 +0000
From: seanius@seanius.net
To: openldap-its@OpenLDAP.org
Subject: ldapsearch should attempt DNS-based fallback if possible
Full_Name: Sean Finney
Version: 2.4.21-0ubuntu5.5
OS: Ubuntu Lucid
URL: 
Submission from: (NULL) (213.115.10.98)


We have an ldap.conf with

 URI         ldap://corp.net

where corp.net resolves to a list of about 20 round-robin balanced A records,
all of which are windows-based domain controllers for the site.  Recently, a
hiccup in change control ended up with 3 of these servers being offline but
remaining in DNS.

Therefore, with about 3/20 probability ldapsearch and friends will just sit and
hang waiting for packets to return from the void until the TCP/IP RTT timeout is
reached.

It would be nice if ldapsearch could, either by default or as an option, have
some way of iteratively trying all of the returned DNS records in the face of
such failure (which could also be from some form of network hiccup, or a crashed
server).  Bonus points if it could somehow be pre-emptive (i.e. not waiting for
the entire TCP/IP RTT timeout before trying another server).

Of course another alternative would be for us to duplicate the information from
DNS into multiple servers listed in URI, but that seems... duplicative.   But in
any event I did a quick search of the issue system and didn't see a documented
position on the matter so I figured I could at least post this and see what you
think :)

Followup 1

Download message
Date: Wed, 7 Sep 2011 15:10:46 +0200
From: sean finney <seanius@seanius.net>
To: Pierangelo Masarati <openldap-its@OpenLDAP.org>
Subject: Re: (ITS#7036) ldapsearch should attempt DNS-based fallback if
 possible
On Wed, Sep 07, 2011 at 12:51:10PM +0000, Pierangelo Masarati wrote:
> As far as I understand from the code, libldap already behaves like that,
i.e. it
> loops through all the hosts returned by getaddrinfo(3).  What's missing (in
your
> configuration of ldapsearch) is a network timeout parameter.  Right now,
you can
> set it either using NETWORK_TIMEOUT in ldap.conf(5) or passing the
command-line
> switch -o nettimeout=<timeout>.  I understand the latter is not
documented in
> ldapsearch(1), although it appears in the usage message of all tools.

wonderful, confirmed that it works.  so then yes, just a minor 
omission from the documentation :)


	sean



Reply 1

Resend
From: Pierangelo Masarati <openldap-its@OpenLDAP.org>
To: seanius@seanius.net
Subject: Re: (ITS#7036) ldapsearch should attempt DNS-based fallback if possible
Date: Wed Sep  7 12:51:11 2011
CC: openldap-its@OpenLDAP.org
As far as I understand from the code, libldap already behaves like that, i.e. it
loops through all the hosts returned by getaddrinfo(3).  What's missing (in your
configuration of ldapsearch) is a network timeout parameter.  Right now, you can
set it either using NETWORK_TIMEOUT in ldap.conf(5) or passing the command-line
switch -o nettimeout=<timeout>.  I understand the latter is not documented
in
ldapsearch(1), although it appears in the usage message of all tools.

As I'd consider this issue a software usage question rather than a bug (except
for the missing documentation), I encourage you to continue discussion on the
openldap-technical mailing list.

p.

Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org