Page MenuHomePhabricator

ssh-key-ldap-lookup should support multiple ldap servers
Closed, ResolvedPublic

Description

an ldap outage in eqiad ldap will make all ssh logins to instances to fail, afaict ssh-key-ldap-lookup can't fallback to additional servers from /etc/ldap.yaml

with open('/etc/ldap.yaml') as f:
    config = yaml.safe_load(f)

conn = connect(config['servers'][0], config['user'], config['password'])
if args.enable_servicegroups and args.username.startswith(PROJECT_NAME + '.'):
    groupname = 'cn=%s,ou=servicegroups,%s' % (
        args.username, config['basedn']
    )
    keys = get_group_keys(conn, groupname)
else:
    username = 'uid=%s,ou=people,%s' % (args.username, config['basedn'])
    keys = get_user_keys(conn, username)
for key in keys:
    # Some keys have an accidental newline at the end, see T77902
    print key.strip()

Event Timeline

hashar removed a subscriber: hashar.Mar 22 2016, 10:36 AM

Change 278944 had a related patch set uploaded (by Rush):
ssh-key-ldap-lookup multiple server array handling

https://gerrit.wikimedia.org/r/278944

Change 278944 merged by Rush:
ssh-key-ldap-lookup multiple server array handling

https://gerrit.wikimedia.org/r/278944

chasemp closed this task as Resolved.Mar 22 2016, 6:46 PM
chasemp claimed this task.

seems to handle the failure case now