-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nslcd not switching back to primary LDAP server #46
Comments
Hi @FrankyGT, Thanks for your ticket and providing a solution. Ideally we would have some kind of concept of primary and secondary servers but the config is a bit too limited for that. Ideally you would round-robin over the primary servers and only use the secondary servers if no primary server was available but indeed nslcd has never supported that. I think your change is useful, even though it only works if idle_timelimit is defined in the config (by default it is disabled). I've merged it as 6d5a2eb. I will try to get around to making another 0.9 release of nss-pam-ldapd sometime soon. Thanks. |
Pkgsrc changes: * Fix coloumn alignment to appease pkglint * Fix phase for usergroup substitution (pkglint hint) * Remove all symlinks installed in base system on NetBSD Upstream changes: 2021-11-19 Arthur de Jong <arthur@arthurdejong.org> * [6e7e878] man/nslcd.conf.5.xml, nslcd/cfg.c: Support DNSLDAPS in uri This supports both `uri DNSLDAPS` and `uri DNSLDAPS:some.domain` variants alongside the pre-existing `uri DNS` that was already supported generating ldaps URIs for all SRV records found. 2021-11-15 Arthur de Jong <arthur@arthurdejong.org> * [70819ae] configure.ac, tests/common.h: Fix internal assertion function detection on Solaris 2021-11-15 Arthur de Jong <arthur@arthurdejong.org> * [7b2a7fe] INSTALL, ar-lib, compile, depcomp, missing, py-compile, test-driver: Update files from latest automake 2021-11-14 Arthur de Jong <arthur@arthurdejong.org> * [9edf95c] tests/test.ldif, tests/test_ldapcmds.sh, tests/test_nsscmds.sh: Do not use user arthur in tests This makes it more complicated to run the tests on an environment where a local user arthur exists. 2021-11-14 Arthur de Jong <arthur@arthurdejong.org> * [2862447] pynslcd/mypidfile.py: Fix running pynslcd without uid option Fixes 65695aa 2021-06-04 Ryan Tandy <ryan@nardis.ca> * [15f67be] tests/config.ldif, tests/setup_slapd.sh: Support running tests with OpenLDAP 2.5 - Change database backend to LMDB - Load external ppolicy schema conditionally 2021-11-03 Arthur de Jong <arthur@arthurdejong.org> * [4c46eef] .github/workflows/test.yml: Configure CodeQL code scanning 2021-11-01 Arthur de Jong <arthur@arthurdejong.org> * [906035b] man/nslcd.conf.5.xml, nslcd/cfg.c, tests/test_cfg.c: Support an empty search base This allows putting `base ""` in nslcd.conf to specify an empty search base. Note that the LDAP server needs to support this. With slapd this requires setting up an olcDefaultSearchBase attribute in the olcFrontendConfig object under cn=config or have the database have an empty suffix. Closes arthurdejong/nss-pam-ldapd#50 2021-10-17 Arthur de Jong <arthur@arthurdejong.org> * [7d81616] common/expr.c, tests/test_expr.c: Support minus character in attribute expressions This requires the attribute name is contained within a ${var-name} expression. 2021-05-25 Arthur de Jong <arthur@arthurdejong.org> * [6d5a2eb] nslcd/myldap.c: Retry connecting to the first URI after idle_timelimit This ensures that a connection to the first URI listed in the config file will be re-established once the connection is closed cleanly after the idle time. This ensures that the listed URIs are handled more in a primary/fallback manner if an idle time is configured. Closes arthurdejong/nss-pam-ldapd#46 2021-05-26 Arthur de Jong <arthur@arthurdejong.org> * [5226a6f] .github/workflows/test.yml, .travis.yml, tests/setup_slapd.sh, tests/test_nsscmds.sh: Replace Travis with GitHub actions This includes a few tweaks to the test scripts to make debugging easier and to avoid issues on Github action runners. 2021-01-23 Arthur de Jong <arthur@arthurdejong.org> * [d9710a2] man/nslcd.conf.5.xml, nslcd/cfg.c: Add tls_reqsan to check certificate SAN This option is passed to the LDAP library if it is supported. 2021-01-23 Arthur de Jong <arthur@arthurdejong.org> * [026f08c] man/nslcd.conf.5.xml, nslcd/cfg.c: Add tls_crlfile to check local CRL file This option is passed to the LDAP library if it is supported. 2021-01-18 sebastienblavier <72022031+sebastienblavier@users.noreply.github.com> * [78c00f1] man/nslcd.conf.5.xml, nslcd.conf, nslcd/cfg.c: Add tls_crlcheck to check Certificate Revocation List This option is passed to the LDAP library if it is supported. Closes arthurdejong/nss-pam-ldapd#41 2021-01-17 Arthur de Jong <arthur@arthurdejong.org> * [d55bdb2] Makefile.am: Use the provided Python for `make distcheck` This ensures that if a Python interpreter was previously supplied to configure it is also used for subsequent calls to run a distribution check. 2021-01-17 Arthur de Jong <arthur@arthurdejong.org> * [b7b812f] ar-lib, compile, depcomp, install-sh, missing, mkinstalldirs, py-compile, test-driver: Update files from latest automake 2020-09-11 Arthur de Jong <arthur@arthurdejong.org> * [37a00e9] nslcd/myldap.c: Fix handling of the pam_authc_ppolicy option Check the result of the BIND operation instead of that of the ldap_result() call when pam_authc_ppolicy is set to "no". This could have resulted in successful authentication if the BIND operation to the LDAP server timed out and pam_authc_ppolicy was set to "no" but should not result in successful authentication otherwise so it is unlikely that setting pam_authc_ppolicy to "no" ever worked as intended. The timeout also would have to occur on the BIND operation, not on setting up the connection. Fixes 31cd2cf 2020-04-19 Arthur de Jong <arthur@arthurdejong.org> * [18740fb] README: Fix typo Thanks Filip Dvorak See https://bugzilla.redhat.com/show_bug.cgi?id=1825240 2020-02-10 Arthur de Jong <arthur@arthurdejong.org> * [b335518] man/nslcd.conf.5.xml: Fix typo in manual page Thanks Benedict Reuschling for pointing this out. Closes arthurdejong/nss-pam-ldapd#39 Fixes b93838d 2019-11-11 Arthur de Jong <arthur@arthurdejong.org> * [548efe5] nslcd/myldap.c: Log the correct timeout value This fixes logging of the LDAP_OPT_TIMEOUT, LDAP_OPT_NETWORK_TIMEOUT and LDAP_X_OPT_CONNECT_TIMEOUT options to actually log the value of the bind_timelimit option instead of the timelimit option. 2019-10-13 Arthur de Jong <arthur@arthurdejong.org> * [fea0f5e] pynslcd/cfg.py, pynslcd/pam.py: Add pam_authc_ppolicy support in pynslcd See https://bugs.debian.org/900253 2019-10-13 Arthur de Jong <arthur@arthurdejong.org> * [1025d5d] utils/chsh.py, utils/shells.py: Fix Python 3 compatibility in chsh.ldap 2019-10-06 Arthur de Jong <arthur@arthurdejong.org> * [c4daf27] AUTHORS, ChangeLog, NEWS, configure.ac, man/chsh.ldap.1.xml, man/getent.ldap.1.xml, man/nslcd.8.xml, man/nslcd.conf.5.xml, man/pam_ldap.8.xml, man/pynslcd.8.xml, nslcd/nslcd.c, utils/cmdline.py: Get files ready for 0.9.11 release 2019-10-06 Arthur de Jong <arthur@arthurdejong.org> * [69922e3] tests/test_doctest.sh: Fix Python interpreter detection in tests Fixes 644bc62 2019-10-06 Arthur de Jong <arthur@arthurdejong.org> * [62522b9] tests/test_nsscmds.sh: Portability improvements to test suite Some test systems have more local users and some systems prefer IPv4 addresses over IPv6 addresses. 2019-09-17 Arthur de Jong <arthur@arthurdejong.org> * [a8f4ed8] NEWS, common/expr.c, common/nslcd-prot.c, common/nslcd-prot.h, common/tio.c, compat/attrs.h, compat/ether.c, compat/getopt_long.c, compat/getopt_long.h, compat/getpeercred.h, compat/nss_compat.h, configure.ac, man/nslcd.conf.5.xml, nslcd.h, nslcd/attmap.h, nslcd/common.h, nslcd/daemonize.h, nslcd/invalidator.c, nslcd/myldap.c, nslcd/myldap.h, nslcd/pam.c, nslcd/passwd.c, nss/common.h, nss/hosts.c, nss/prototypes.h, pam/common.h, tests/common.h, tests/test_pynslcd_cache.py, tests/test_tio.c, utils/getent.py: Various spelling fixes 2019-09-10 Arthur de Jong <arthur@arthurdejong.org> * [644bc62] .travis.yml, tests/test_doctest.sh: Fix Python interpreter detection Apparently some environments provide certain Python executables which are not working Python interpreters. 2019-09-08 Arthur de Jong <arthur@arthurdejong.org> * [768c4be] .gitignore, Makefile.am: Remove confinc.out which is left behind by aclocal.m4 2019-09-08 Arthur de Jong <arthur@arthurdejong.org> * [0252b05] pynslcd/shadow.py: Correctly validate shadow requests and responses 2019-09-08 Arthur de Jong <arthur@arthurdejong.org> * [cd887ef] pynslcd/Makefile.am, utils/Makefile.am: Update Python interpreter in installed scripts Ensure that the Python interpreter that is passed to configure ends up in the shebang of the Python scripts. This allows one to pass PYTHON=python3 to configure to install the scripts using the Python 3 interpreter. 2019-09-07 Arthur de Jong <arthur@arthurdejong.org> * [d717795] .gitignore, pynslcd/alias.py, pynslcd/attmap.py, pynslcd/cache.py, pynslcd/cfg.py, pynslcd/common.py, pynslcd/ether.py, pynslcd/expr.py, pynslcd/group.py, pynslcd/host.py, pynslcd/invalidator.py, pynslcd/mypidfile.py, pynslcd/netgroup.py, pynslcd/network.py, pynslcd/pam.py, pynslcd/passwd.py, pynslcd/protocol.py, pynslcd/pynslcd.py, pynslcd/rpc.py, pynslcd/search.py, pynslcd/service.py, pynslcd/shadow.py, pynslcd/tio.py, tests/Makefile.am, tests/flake8.ini, tests/test_flake8.sh, tests/test_pynslcd_cache.py, utils/chsh.py, utils/getent.py, utils/nslcd.py, utils/users.py: Improve Python code style This also adds a flake8 test that checks code style. Note that this test is not run by default because it requires network access to create the virtualenv with the test software. 2019-09-02 Arthur de Jong <arthur@arthurdejong.org> * [221ce5a] configure.ac, pynslcd/Makefile.am, pynslcd/attmap.py, pynslcd/cache.py, pynslcd/cfg.py, pynslcd/common.py, pynslcd/expr.py, pynslcd/invalidator.py, pynslcd/mypidfile.py, pynslcd/pam.py, pynslcd/pynslcd.py, pynslcd/search.py, pynslcd/tio.py, pynslcd/usermod.py, tests/Makefile.am, tests/test_doctest.sh, tests/test_ldapcmds.sh, tests/test_pycompile.sh, tests/test_pylint.sh, tests/test_pynslcd_cache.py, utils/Makefile.am, utils/getent.py, utils/nslcd.py: Add Python 3 support This ensures that both pynslcd and the command-line utilities work with Python3 as interpreter and runs some tests with all installed Python interpreters. This drops support for Python 2.6 and extends 5a84be2 to perform more testing with Python 3. 2018-09-08 Arthur de Jong <arthur@arthurdejong.org> * [06ee886] nslcd/nslcd.c: Avoid logging unknown socket peer information This avoids logging the client PID when the underlying socker layer cannot provide the relevant information. 2018-09-05 Mizunashi Mana <mizunashi-mana@noreply.git> * [bfcf002] utils/shells.py: Fix crash in chsh.ldap Specify result type of getusershell. Closes arthurdejong/nss-pam-ldapd#31
This ensures that a connection to the first URI listed in the config file will be re-established once the connection is closed cleanly after the idle time. This ensures that the listed URIs are handled more in a primary/fallback manner if an idle time is configured. Closes arthurdejong/nss-pam-ldapd#46
I've already created a ticket for this at redhat, but I think this is a better place to report this.
To connect to our LDAP slaves we use nslcd. Using nslcd we run into the following issue :
On our clients have configured 4 LDAP slaves in the nslcd config file. The first two are the main ones, and the other 2 should only be used as fallback. What happens, after rebooting the first 2 servers, is nslcd only connecting to the fallback servers, and never returning to the main 2 servers. Also the man page states the concept of "fallback servers" :
So in our case with 10000 clients, we normally perform maintenance in a sequential way, so we update server1, which moves all clients to server2, the next day we update server2, which moves all clients to server 3, etc... So we end up with one server servicing 10.000 clients, overloading and all kinds of nasty issues.
What I expect to occur, is that if the connection idle timeout kicks in (idle_timelimit), and the current TCP session is closed, after that, the first server in the list is retried instead of the last one used.
I looked into the nslcd code, and I think this issue is in all versions of nslcd. A simple fix would be to add "session->current_uri = 0" on line 1065 of myldap.c
The text was updated successfully, but these errors were encountered: