<div>                Does anyone on the keystone team want to comment on this?<br>            </div>            <div class="yahoo_quoted" style="margin:10px 0px 0px 0.8ex;border-left:1px solid #ccc;padding-left:1ex;">                        <div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">                                <div>                    On Thursday, July 20, 2023 at 03:14:23 PM EDT, Albert Braden <ozzzo@yahoo.com> wrote:                </div>                <div><br></div>                <div><br></div>                <div><div id="yiv0459722139"><div><div>                When you say "solve this stuff in the ldappool library" are you talking about moving the broken server to the end of the pool instead of removing it?<br clear="none"><br clear="none">Since the first server in the URL is always used, and failover doesn't seem to work, it seems like moving the broken URL to the end of the list would be a good solution, and that would eliminate the problem of having to add it back after it starts working again.<br clear="none"><br clear="none">I'm looking at the ldappool code here: https://opendev.org/openstack/ldappool/src/branch/master/ldappool/__init__.py<br clear="none"><br clear="none">So far it's not obvious to me how the pool is being assembled. What is the relationship between the LDAP URLs in the Keystone config, and the connections in the pool? What would have to change, to allow a failing URL to be treated as if it were not the first one in the list?<br clear="none">            </div>            <div id="yiv0459722139yqt86102" class="yiv0459722139yqt0814814609"><div style="margin:10px 0px 0px 0.8ex;border-left:1px solid #ccc;padding-left:1ex;" class="yiv0459722139yahoo_quoted">                        <div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">                                <div>                    On Wednesday, July 19, 2023 at 11:46:25 AM EDT, Sven Kieske <kieske@osism.tech> wrote:                </div>                <div><br clear="none"></div>                <div><br clear="none"></div>                <div><div dir="ltr">Hi,<br clear="none"><br clear="none">I noticed that <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://review.opendev.org/c/openstack/keystone/+/860118">https://review.opendev.org/c/openstack/keystone/+/860118</a><br clear="none">is also linked from your bugzilla link.<br clear="none"><br clear="none">I wasn't aware of the work in<br clear="none"><a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://review.opendev.org/c/openstack/keystone/+/821086">https://review.opendev.org/c/openstack/keystone/+/821086</a><br clear="none"><br clear="none">I'm currently trying to fix the ldap breakage in keystone.<br clear="none"><br clear="none">during the last keystone reviewathons it became clear that it would<br clear="none">be better to solve this stuff in the ldappool library itself.<br clear="none"><br clear="none">regarding the overall project status I guess it's fair to say<br clear="none">that ldap support ist pretty dormant right now.<br clear="none"><br clear="none">This is my first dive into the keystone codebase, so I guess it's save<br clear="none">to say that additional people interested in ldap would be more than<br clear="none">welcome.<br clear="none"><br clear="none">But I guess the core keystone team can say more about this.<br clear="none"><br clear="none">Having said all this, I guess this explains the general status of ldap<br clear="none">related patches in keystone.<br clear="none"><br clear="none">HTH & kind regards<br clear="none">Am Mittwoch, dem 19.07.2023 um 14:55 +0000 schrieb Albert Braden:<div id="yiv0459722139yqtfd84185" class="yiv0459722139yqt1718397209"><br clear="none">> We are experiencing the LDAP failover issue described in [1].<br clear="none">> Redhat’s solution is to not bother fixing the bug, and to tell<br clear="none">> customers to put the LDAP server behind a load-balancer. According to<br clear="none">> Redhat, that is not a good solution for FreeIPA, as explained in [2]<br clear="none">> and further elucidated in the blog post [3] that it references. I see<br clear="none">> that the community has a bug open for this [4] and the bug is being<br clear="none">> worked on here [5] but there has been no activity since 10/22.<br clear="none">> <br clear="none">> What is the status of this bugfix? Does it just need someone to<br clear="none">> review and merge it, or is there more work to be done? How are other<br clear="none">> FreeIPA users working around this problem?<br clear="none">> <br clear="none">> [1] <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://bugzilla.redhat.com/show_bug.cgi?id=2024602#c3">https://bugzilla.redhat.com/show_bug.cgi?id=2024602#c3</a><br clear="none">> [2]<br clear="none">> <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/load-balancing">https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/load-balancing</a><br clear="none">> [3] <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="http://ssimo.org/blog/id_019.html">http://ssimo.org/blog/id_019.html</a><br clear="none">> [4] <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://bugs.launchpad.net/keystone/+bug/1953622">https://bugs.launchpad.net/keystone/+bug/1953622</a><br clear="none">> [5] <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://review.opendev.org/c/openstack/keystone/+/821086">https://review.opendev.org/c/openstack/keystone/+/821086</a></div><br clear="none">> <br clear="none"><br clear="none">-- <br clear="none">Sven Kieske<br clear="none">Senior Cloud Engineer<br clear="none"><br clear="none">Mail: <a rel="nofollow noopener noreferrer" shape="rect" ymailto="mailto:kieske@osism.tech" target="_blank" href="mailto:kieske@osism.tech">kieske@osism.tech</a><br clear="none">Web: <a rel="nofollow noopener noreferrer" shape="rect" target="_blank" href="https://osism.tech">https://osism.tech</a><br clear="none"><br clear="none">OSISM GmbH<br clear="none">Teckstraße 62 / 70190 Stuttgart / Deutschland<br clear="none"><br clear="none">Geschäftsführer: Christian Berendt<br clear="none">Unternehmenssitz: Stuttgart<br clear="none">Amtsgericht: Stuttgart, HRB 756139<div id="yiv0459722139yqtfd24843" class="yiv0459722139yqt1718397209"><br clear="none"><br clear="none"><br clear="none"></div></div></div>            </div>                </div></div></div></div></div>            </div>                </div>