[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4042) DNS Resolver BUG in OPENLDAP

Full_Name: Jason Sauve
Version: openldap-clients-2.0.27-17
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

There seems to be a bug with the openldap client library. 

I have configured three LDAP servers in /etc/ldap.conf as:

base dc=robarts,dc=ca
host ldap1.robarts.ca ldap2.robarts.ca ldap3.robarts.ca

However in DNS there are additional A Records that our domain ROBARTS.CA
resolves to other than just these ldap servers mentioned above.

What the ldap client library is doing overriding the host line and resolving
ROBARTS.CA and attempting to connect to the A record returned by DNS (because
BIND is round-robin the probability of hitting any IP is approximately equal).
Hence it will hang for BIND_TIMELIMIT in /etc/ldap.conf as it cannot connect to
the IP as it is not a valid LDAP server.

I've turned on debugging for the client library and seen that the connect() call
is in fact attempting to connect to the other IP's that are registered in DNS.

Should the ldap.conf host line not override this behaviour? The 'easy' answer
would be to remove the additional A records from my DNS server, but that would
not resolve the real issue.

I've also attempted to set the following instead of using the host line (to no

uri ldap://ldap1.robarts.ca/
uri ldap://ldap2.robarts.ca/
uri ldap://ldap3.robarts.ca/

As a last resort I modified /etc/hosts and tried this also (again to no avail) ROBARTS.CA ldap1.robarts.ca ROBARTS.CA ldap2.robarts.ca ROBARTS.CA ldap3.robarts.ca

Any help would be appreciated as I suspect this is a software bug.