Project

General

Profile

Bug #12431

ldapclient doesn't like hostnames with multi A/AAAA records

Added by Jorge Schrauwen 4 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

I am playing around with a master-master setup where I will write to one but can read from both.

I have the following setup
ldap1.acheron.be 10.23.30.91 (zone with openldap)
ldap2.acheron.be 10.23.30.92 (zone with openldap)

I can read/write to both, although I am only writing to ldap1.

For HA I also have
ldap.acheron.be with has an A record for ldap1 and ldap2

[root@ldap1 ~/notes/client]# dig ldap.acheron.be

; <<>> DiG 9.10.1-P1 <<>> ldap.acheron.be
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50531
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ldap.acheron.be.               IN      A

;; ANSWER SECTION:
ldap.acheron.be.        1       IN      A       10.23.30.92
ldap.acheron.be.        1       IN      A       10.23.30.91

;; Query time: 0 msec
;; SERVER: 10.23.30.1#53(10.23.30.1)
;; WHEN: Sun Mar 22 14:16:18 UTC 2020
;; MSG SIZE  rcvd: 76

Using ldap.acheron.be in ldapsearch or ldapadd/modify/... works fine, a simple test webapp also seems happy.

However ldapclient just times out when using this as an entry for defaultServerList:

Parsing defaultServerList=ldap.acheron.be
Parsing bindTimeLimit=5
Parsing authenticationMethod=tls:simple
Parsing credentialLevel=proxy
Parsing proxyDN=cn=proxyagent,dc=acheron,dc=be
Parsing proxyPassword=xxx
Parsing domainName=acheron.be
Parsing defaultSearchBase=dc=acheron,dc=be
Parsing defaultSearchScope=sub
Parsing serviceSearchDescriptor=passwd:ou=accounts,dc=acheron,dc=be
Parsing serviceSearchDescriptor=shadow:ou=accounts,dc=acheron,dc=be
Parsing serviceSearchDescriptor=group:ou=groups,dc=acheron,dc=be
Parsing serviceSearchDescriptor=project:ou=projects,ou=illumos,ou=security,dc=acheron,dc=be
Parsing serviceSearchDescriptor=prof_attr:ou=profiles,ou=illumos,ou=security,dc=acheron,dc=be
Parsing serviceSearchDescriptor=auth_attr:ou=authorizations,ou=illumos,ou=security,dc=acheron,dc=be
Parsing serviceSearchDescriptor=sudoers:ou=sudoers,ou=security,dc=acheron,dc=be
Arguments parsed:
        authenticationMethod: tls:simple
        defaultSearchBase: dc=acheron,dc=be
        credentialLevel: proxy
        domainName: acheron.be
        proxyDN: cn=proxyagent,dc=acheron,dc=be
        defaultSearchScope: sub
        serviceSearchDescriptor:
                arg[0]: passwd:ou=accounts,dc=acheron,dc=be
                arg[1]: shadow:ou=accounts,dc=acheron,dc=be
                arg[2]: group:ou=groups,dc=acheron,dc=be
                arg[3]: project:ou=projects,ou=illumos,ou=security,dc=acheron,dc=be
                arg[4]: prof_attr:ou=profiles,ou=illumos,ou=security,dc=acheron,dc=be
                arg[5]: auth_attr:ou=authorizations,ou=illumos,ou=security,dc=acheron,dc=be
                arg[6]: sudoers:ou=sudoers,ou=security,dc=acheron,dc=be
        bindTimeLimit: 5
        proxyPassword: xxx
        defaultServerList: ldap.acheron.be
Handling manual option
Proxy DN: cn=proxyagent,dc=acheron,dc=be
Proxy password: {NS1}xxx
Credential level: 1
Authentication method: 3
Shadow Update is not enabled, no adminDN/adminPassword is required.
About to modify this machines configuration by writing the files
Stopping network services
sendmail not running
Stopping nscd
stop: sleep 100000 microseconds
stop: system/name-service-cache:default... success
autofs not running
ldap not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: nis domain is "acheron.be" 
file_backup: stat(/var/yp/binding/acheron.be)=-1
file_backup: No /var/yp/binding/acheron.be directory.
file_backup: stat(/var/ldap/ldap_client_file)=-1
file_backup: No /var/ldap/ldap_client_file file.
Starting network services
start: /usr/bin/domainname acheron.be... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: sleep 800000 microseconds
start: sleep 1600000 microseconds
start: sleep 3200000 microseconds
start: sleep 6400000 microseconds
start: sleep 12800000 microseconds
start: sleep 25600000 microseconds
start: sleep 51200000 microseconds
start: sleep 17700000 microseconds
start: network/ldap/client:default... timed out
start: network/ldap/client:default... offline to disable
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: network/ldap/client:default... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
Error resetting system.
Recovering old system settings.
Stopping network services
sendmail not running
Stopping nscd
stop: sleep 100000 microseconds
stop: system/name-service-cache:default... success
autofs not running
ldap not running
nis(yp) not running
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: open(/var/ldap/restore/defaultdomain)
recover: read(/var/ldap/restore/defaultdomain)
recover: old domainname "acheron.be" 
recover: stat(/var/ldap/restore/ldap_client_file)=-1
recover: stat(/var/ldap/restore/ldap_client_cred)=-1
recover: stat(/var/ldap/restore/acheron.be)=-1
recover: stat(/var/ldap/restore/nsswitch.conf)=0
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
Starting network services
start: /usr/bin/domainname acheron.be... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success

Feeding ldap1.acheron.be and ldap2.acheron.be to defaultServerList works fine:

Parsing defaultServerList=ldap1.acheron.be ldap2.acheron.be
Parsing bindTimeLimit=5
Parsing authenticationMethod=tls:simple
Parsing credentialLevel=proxy
Parsing proxyDN=cn=proxyagent,dc=acheron,dc=be
Parsing proxyPassword=xxx
Parsing domainName=acheron.be
Parsing defaultSearchBase=dc=acheron,dc=be
Parsing defaultSearchScope=sub
Parsing serviceSearchDescriptor=passwd:ou=accounts,dc=acheron,dc=be
Parsing serviceSearchDescriptor=shadow:ou=accounts,dc=acheron,dc=be
Parsing serviceSearchDescriptor=group:ou=groups,dc=acheron,dc=be
Parsing serviceSearchDescriptor=project:ou=projects,ou=illumos,ou=security,dc=acheron,dc=be
Parsing serviceSearchDescriptor=prof_attr:ou=profiles,ou=illumos,ou=security,dc=acheron,dc=be
Parsing serviceSearchDescriptor=auth_attr:ou=authorizations,ou=illumos,ou=security,dc=acheron,dc=be
Parsing serviceSearchDescriptor=sudoers:ou=sudoers,ou=security,dc=acheron,dc=be
Arguments parsed:
        authenticationMethod: tls:simple
        defaultSearchBase: dc=acheron,dc=be
        credentialLevel: proxy
        domainName: acheron.be
        proxyDN: cn=proxyagent,dc=acheron,dc=be
        defaultSearchScope: sub
        serviceSearchDescriptor:
                arg[0]: passwd:ou=accounts,dc=acheron,dc=be
                arg[1]: shadow:ou=accounts,dc=acheron,dc=be
                arg[2]: group:ou=groups,dc=acheron,dc=be
                arg[3]: project:ou=projects,ou=illumos,ou=security,dc=acheron,dc=be
                arg[4]: prof_attr:ou=profiles,ou=illumos,ou=security,dc=acheron,dc=be
                arg[5]: auth_attr:ou=authorizations,ou=illumos,ou=security,dc=acheron,dc=be
                arg[6]: sudoers:ou=sudoers,ou=security,dc=acheron,dc=be
        bindTimeLimit: 5
        proxyPassword: xxx
        defaultServerList: ldap1.acheron.be ldap2.acheron.be
Handling manual option
Proxy DN: cn=proxyagent,dc=acheron,dc=be
Proxy password: {NS1}xxx
Credential level: 1
Authentication method: 3
Shadow Update is not enabled, no adminDN/adminPassword is required.
About to modify this machines configuration by writing the files
Stopping network services
sendmail not running
Stopping nscd
stop: sleep 100000 microseconds
stop: system/name-service-cache:default... success
autofs not running
ldap not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: nis domain is "acheron.be" 
file_backup: stat(/var/yp/binding/acheron.be)=-1
file_backup: No /var/yp/binding/acheron.be directory.
file_backup: stat(/var/ldap/ldap_client_file)=-1
file_backup: No /var/ldap/ldap_client_file file.
Starting network services
start: /usr/bin/domainname acheron.be... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: network/ldap/client:default... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
System successfully configured

The later has ldapclient contacting both servers over ldaps and if that fails over ldap with startTLS as expected.

It would be nice to at the very least throw and error if a hostname with multiple A/AAAA records is used instead of silently failing.
I checked the slapd.log, no connect attempt is even mode in that case.

Also available in: Atom PDF