Page MenuHomePhabricator

ssh-key-ldap-lookup should support multiple ldap servers
Closed, ResolvedPublic


an ldap outage in eqiad ldap will make all ssh logins to instances to fail, afaict ssh-key-ldap-lookup can't fallback to additional servers from /etc/ldap.yaml

with open('/etc/ldap.yaml') as f:
    config = yaml.safe_load(f)

conn = connect(config['servers'][0], config['user'], config['password'])
if args.enable_servicegroups and args.username.startswith(PROJECT_NAME + '.'):
    groupname = 'cn=%s,ou=servicegroups,%s' % (
        args.username, config['basedn']
    keys = get_group_keys(conn, groupname)
    username = 'uid=%s,ou=people,%s' % (args.username, config['basedn'])
    keys = get_user_keys(conn, username)
for key in keys:
    # Some keys have an accidental newline at the end, see T77902
    print key.strip()

Event Timeline

Change 278944 had a related patch set uploaded (by Rush):
ssh-key-ldap-lookup multiple server array handling

Change 278944 merged by Rush:
ssh-key-ldap-lookup multiple server array handling

chasemp claimed this task.

seems to handle the failure case now