Page MenuHomePhabricator
Create Task
Maniphest T130583

ssh-key-ldap-lookup should support multiple ldap servers
Closed, ResolvedPublic
Actions

Description

an ldap outage in eqiad ldap will make all ssh logins to instances to fail, afaict ssh-key-ldap-lookup can't fallback to additional servers from /etc/ldap.yaml

with open('/etc/ldap.yaml') as f:
    config = yaml.safe_load(f)

conn = connect(config['servers'][0], config['user'], config['password'])
if args.enable_servicegroups and args.username.startswith(PROJECT_NAME + '.'):
    groupname = 'cn=%s,ou=servicegroups,%s' % (
        args.username, config['basedn']
    )
    keys = get_group_keys(conn, groupname)
else:
    username = 'uid=%s,ou=people,%s' % (args.username, config['basedn'])
    keys = get_user_keys(conn, username)
for key in keys:
    # Some keys have an accidental newline at the end, see T77902
    print key.strip()

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+22 -2ssh-key-ldap-lookup multiple server array handling
Customize query in gerrit

Related Objects
Search...

Event Timeline

fgiunchedi created this task.Mar 22 2016, 9:45 AM
hashar removed a subscriber: hashar.Mar 22 2016, 10:36 AM
gerritbot added a subscriber: gerritbot.Mar 22 2016, 5:59 PM

Change 278944 had a related patch set uploaded (by Rush):
ssh-key-ldap-lookup multiple server array handling

https://gerrit.wikimedia.org/r/278944

gerritbot added a project: Patch-For-Review.Mar 22 2016, 5:59 PM
gerritbot added a comment.Mar 22 2016, 6:14 PM

Change 278944 merged by Rush:
ssh-key-ldap-lookup multiple server array handling

https://gerrit.wikimedia.org/r/278944

chasemp closed this task as Resolved.Mar 22 2016, 6:46 PM
chasemp claimed this task.

seems to handle the failure case now

Billinghurst removed a subscriber: Billinghurst.Mar 23 2016, 1:14 AM
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:43 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL