Bug #12431
openldapclient doesn't like hostnames with multi A/AAAA records
0%
Description
I am playing around with a master-master setup where I will write to one but can read from both.
I have the following setup
ldap1.acheron.be 10.23.30.91 (zone with openldap)
ldap2.acheron.be 10.23.30.92 (zone with openldap)
I can read/write to both, although I am only writing to ldap1.
For HA I also have
ldap.acheron.be with has an A record for ldap1 and ldap2
[root@ldap1 ~/notes/client]# dig ldap.acheron.be ; <<>> DiG 9.10.1-P1 <<>> ldap.acheron.be ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50531 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ldap.acheron.be. IN A ;; ANSWER SECTION: ldap.acheron.be. 1 IN A 10.23.30.92 ldap.acheron.be. 1 IN A 10.23.30.91 ;; Query time: 0 msec ;; SERVER: 10.23.30.1#53(10.23.30.1) ;; WHEN: Sun Mar 22 14:16:18 UTC 2020 ;; MSG SIZE rcvd: 76
Using ldap.acheron.be in ldapsearch or ldapadd/modify/... works fine, a simple test webapp also seems happy.
However ldapclient just times out when using this as an entry for defaultServerList:
Parsing defaultServerList=ldap.acheron.be Parsing bindTimeLimit=5 Parsing authenticationMethod=tls:simple Parsing credentialLevel=proxy Parsing proxyDN=cn=proxyagent,dc=acheron,dc=be Parsing proxyPassword=xxx Parsing domainName=acheron.be Parsing defaultSearchBase=dc=acheron,dc=be Parsing defaultSearchScope=sub Parsing serviceSearchDescriptor=passwd:ou=accounts,dc=acheron,dc=be Parsing serviceSearchDescriptor=shadow:ou=accounts,dc=acheron,dc=be Parsing serviceSearchDescriptor=group:ou=groups,dc=acheron,dc=be Parsing serviceSearchDescriptor=project:ou=projects,ou=illumos,ou=security,dc=acheron,dc=be Parsing serviceSearchDescriptor=prof_attr:ou=profiles,ou=illumos,ou=security,dc=acheron,dc=be Parsing serviceSearchDescriptor=auth_attr:ou=authorizations,ou=illumos,ou=security,dc=acheron,dc=be Parsing serviceSearchDescriptor=sudoers:ou=sudoers,ou=security,dc=acheron,dc=be Arguments parsed: authenticationMethod: tls:simple defaultSearchBase: dc=acheron,dc=be credentialLevel: proxy domainName: acheron.be proxyDN: cn=proxyagent,dc=acheron,dc=be defaultSearchScope: sub serviceSearchDescriptor: arg[0]: passwd:ou=accounts,dc=acheron,dc=be arg[1]: shadow:ou=accounts,dc=acheron,dc=be arg[2]: group:ou=groups,dc=acheron,dc=be arg[3]: project:ou=projects,ou=illumos,ou=security,dc=acheron,dc=be arg[4]: prof_attr:ou=profiles,ou=illumos,ou=security,dc=acheron,dc=be arg[5]: auth_attr:ou=authorizations,ou=illumos,ou=security,dc=acheron,dc=be arg[6]: sudoers:ou=sudoers,ou=security,dc=acheron,dc=be bindTimeLimit: 5 proxyPassword: xxx defaultServerList: ldap.acheron.be Handling manual option Proxy DN: cn=proxyagent,dc=acheron,dc=be Proxy password: {NS1}xxx Credential level: 1 Authentication method: 3 Shadow Update is not enabled, no adminDN/adminPassword is required. About to modify this machines configuration by writing the files Stopping network services sendmail not running Stopping nscd stop: sleep 100000 microseconds stop: system/name-service-cache:default... success autofs not running ldap not running nis(yp) not running file_backup: stat(/etc/nsswitch.conf)=0 file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf) file_backup: stat(/etc/defaultdomain)=0 file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) file_backup: nis domain is "acheron.be" file_backup: stat(/var/yp/binding/acheron.be)=-1 file_backup: No /var/yp/binding/acheron.be directory. file_backup: stat(/var/ldap/ldap_client_file)=-1 file_backup: No /var/ldap/ldap_client_file file. Starting network services start: /usr/bin/domainname acheron.be... success start: sleep 100000 microseconds start: sleep 200000 microseconds start: sleep 400000 microseconds start: sleep 800000 microseconds start: sleep 1600000 microseconds start: sleep 3200000 microseconds start: sleep 6400000 microseconds start: sleep 12800000 microseconds start: sleep 25600000 microseconds start: sleep 51200000 microseconds start: sleep 17700000 microseconds start: network/ldap/client:default... timed out start: network/ldap/client:default... offline to disable stop: sleep 100000 microseconds stop: sleep 200000 microseconds stop: sleep 400000 microseconds stop: sleep 800000 microseconds stop: network/ldap/client:default... success start: sleep 100000 microseconds start: system/name-service-cache:default... success restart: sleep 100000 microseconds restart: milestone/name-services:default... success Error resetting system. Recovering old system settings. Stopping network services sendmail not running Stopping nscd stop: sleep 100000 microseconds stop: system/name-service-cache:default... success autofs not running ldap not running nis(yp) not running recover: stat(/var/ldap/restore/defaultdomain)=0 recover: open(/var/ldap/restore/defaultdomain) recover: read(/var/ldap/restore/defaultdomain) recover: old domainname "acheron.be" recover: stat(/var/ldap/restore/ldap_client_file)=-1 recover: stat(/var/ldap/restore/ldap_client_cred)=-1 recover: stat(/var/ldap/restore/acheron.be)=-1 recover: stat(/var/ldap/restore/nsswitch.conf)=0 recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0 recover: stat(/var/ldap/restore/defaultdomain)=0 recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0 Starting network services start: /usr/bin/domainname acheron.be... success start: sleep 100000 microseconds start: system/name-service-cache:default... success restart: sleep 100000 microseconds restart: milestone/name-services:default... success
Feeding ldap1.acheron.be and ldap2.acheron.be to defaultServerList works fine:
Parsing defaultServerList=ldap1.acheron.be ldap2.acheron.be Parsing bindTimeLimit=5 Parsing authenticationMethod=tls:simple Parsing credentialLevel=proxy Parsing proxyDN=cn=proxyagent,dc=acheron,dc=be Parsing proxyPassword=xxx Parsing domainName=acheron.be Parsing defaultSearchBase=dc=acheron,dc=be Parsing defaultSearchScope=sub Parsing serviceSearchDescriptor=passwd:ou=accounts,dc=acheron,dc=be Parsing serviceSearchDescriptor=shadow:ou=accounts,dc=acheron,dc=be Parsing serviceSearchDescriptor=group:ou=groups,dc=acheron,dc=be Parsing serviceSearchDescriptor=project:ou=projects,ou=illumos,ou=security,dc=acheron,dc=be Parsing serviceSearchDescriptor=prof_attr:ou=profiles,ou=illumos,ou=security,dc=acheron,dc=be Parsing serviceSearchDescriptor=auth_attr:ou=authorizations,ou=illumos,ou=security,dc=acheron,dc=be Parsing serviceSearchDescriptor=sudoers:ou=sudoers,ou=security,dc=acheron,dc=be Arguments parsed: authenticationMethod: tls:simple defaultSearchBase: dc=acheron,dc=be credentialLevel: proxy domainName: acheron.be proxyDN: cn=proxyagent,dc=acheron,dc=be defaultSearchScope: sub serviceSearchDescriptor: arg[0]: passwd:ou=accounts,dc=acheron,dc=be arg[1]: shadow:ou=accounts,dc=acheron,dc=be arg[2]: group:ou=groups,dc=acheron,dc=be arg[3]: project:ou=projects,ou=illumos,ou=security,dc=acheron,dc=be arg[4]: prof_attr:ou=profiles,ou=illumos,ou=security,dc=acheron,dc=be arg[5]: auth_attr:ou=authorizations,ou=illumos,ou=security,dc=acheron,dc=be arg[6]: sudoers:ou=sudoers,ou=security,dc=acheron,dc=be bindTimeLimit: 5 proxyPassword: xxx defaultServerList: ldap1.acheron.be ldap2.acheron.be Handling manual option Proxy DN: cn=proxyagent,dc=acheron,dc=be Proxy password: {NS1}xxx Credential level: 1 Authentication method: 3 Shadow Update is not enabled, no adminDN/adminPassword is required. About to modify this machines configuration by writing the files Stopping network services sendmail not running Stopping nscd stop: sleep 100000 microseconds stop: system/name-service-cache:default... success autofs not running ldap not running nis(yp) not running file_backup: stat(/etc/nsswitch.conf)=0 file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf) file_backup: stat(/etc/defaultdomain)=0 file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) file_backup: nis domain is "acheron.be" file_backup: stat(/var/yp/binding/acheron.be)=-1 file_backup: No /var/yp/binding/acheron.be directory. file_backup: stat(/var/ldap/ldap_client_file)=-1 file_backup: No /var/ldap/ldap_client_file file. Starting network services start: /usr/bin/domainname acheron.be... success start: sleep 100000 microseconds start: sleep 200000 microseconds start: sleep 400000 microseconds start: network/ldap/client:default... success start: sleep 100000 microseconds start: system/name-service-cache:default... success restart: sleep 100000 microseconds restart: milestone/name-services:default... success System successfully configured
The later has ldapclient contacting both servers over ldaps and if that fails over ldap with startTLS as expected.
It would be nice to at the very least throw and error if a hostname with multiple A/AAAA records is used instead of silently failing.
I checked the slapd.log, no connect attempt is even mode in that case.
No data to display