privacyidea-ldap-proxy icon indicating copy to clipboard operation
privacyidea-ldap-proxy copied to clipboard

Published 20 hours ago verified publisher icon privacyidea

twisted hangs when provding wrong host name

Open cornelinux opened this issue 8 years ago • 9 comments

In config.ini setting in section [ldap-backend] the host = "ldap://1.2.3.4". twisted runs into this error:

2017-02-12T08:39:37+0100 [pi_ldapproxy.proxy.ProxyServerFactory] Unhandled Error
	Traceback (most recent call last):
	  File "/home/cornelius/src/privacyidea-ldap-proxy/venv/local/lib/python2.7/site-packages/twisted/python/log.py", line 86, in callWithContext
	    return context.call({ILogContext: newCtx}, func, *args, **kw)
	  File "/home/cornelius/src/privacyidea-ldap-proxy/venv/local/lib/python2.7/site-packages/twisted/python/context.py", line 118, in callWithContext
	    return self.currentContext().callWithContext(ctx, func, *args, **kw)
	  File "/home/cornelius/src/privacyidea-ldap-proxy/venv/local/lib/python2.7/site-packages/twisted/python/context.py", line 81, in callWithContext
	    return func(*args,**kw)
	  File "/home/cornelius/src/privacyidea-ldap-proxy/venv/local/lib/python2.7/site-packages/twisted/internet/posixbase.py", line 597, in _doReadOrWrite
	    why = selectable.doRead()
	---  ---
	  File "/home/cornelius/src/privacyidea-ldap-proxy/venv/local/lib/python2.7/site-packages/twisted/internet/tcp.py", line 1073, in doRead
	    protocol.makeConnection(transport)
	  File "/home/cornelius/src/privacyidea-ldap-proxy/venv/local/lib/python2.7/site-packages/twisted/internet/protocol.py", line 494, in makeConnection
	    self.connectionMade()
	  File "/home/cornelius/src/privacyidea-ldap-proxy/venv/local/lib/python2.7/site-packages/ldaptor/protocols/ldap/proxybase.py", line 40, in connectionMade
	    d = self.clientConnector()
	  File "/home/cornelius/src/privacyidea-ldap-proxy/venv/local/lib/python2.7/site-packages/ldaptor/protocols/ldap/ldapconnector.py", line 22, in connectToLDAPEndpoint
	    e = clientFromString(reactor, endpointStr)
	  File "/home/cornelius/src/privacyidea-ldap-proxy/venv/local/lib/python2.7/site-packages/twisted/internet/endpoints.py", line 1856, in clientFromString
	    kwargs = _clientParsers[name](*args, **kwargs)
	  File "/home/cornelius/src/privacyidea-ldap-proxy/venv/local/lib/python2.7/site-packages/twisted/internet/endpoints.py", line 1579, in _parseClientTCP
	    kwargs['port'] = int(args[0])
	exceptions.ValueError: invalid literal for int() with base 10: '//10.0.1.161'

Also see #3.

The other problem is, that twisted hangs and will not repsond to any other request!

cornelinux avatar Feb 12 '17 08:02 cornelinux

Right, we should definitely handle this case better.

Similarly, if the syntax of the host value is correct, but the given server is unavailable, we only notice when we issue the first bind request: Then, the LDAP proxy tries to connect to the LDAP backend, but the connection only times out after 30 seconds (well, it seems like 30 seconds).

Maybe we should do a "test connection" to the LDAP backend on startup (with the possibility to opt out?) to notice this kind of errors as early as possible?

fredreichbier avatar Feb 16 '17 13:02 fredreichbier

Sounds good to me.

Are there any implementations in regards to round robin? We should be able to decrease the 30 secs timeout. Hm, 30 secs. Could this be a system timeout? If so, imho it would be enough to note in the readme how to reduce the timeout.

cornelinux avatar Feb 16 '17 13:02 cornelinux

As of d0624f69, we can now specify a connection establishment timeout in the config file.

By round robin, do you mean the possibility of specifying LDAP backend servers and connecting to them in a round-robin fashion? I'm not sure if Twisted provides something like that out of the box, but I can do some research. :-)

fredreichbier avatar Feb 16 '17 16:02 fredreichbier

I know this from the ldap3 python module. You can have a server pool. When it tries to connect to the server pool it tries the first server. It the server does not respond in timeout, then the server is removed from the pool for a certain time and the next server is requested.

cornelinux avatar Feb 16 '17 16:02 cornelinux

I did some research and did not find anything that we could use -- but we could always build a simple server pool ourselves. I've opened #11 for that.

fredreichbier avatar Feb 17 '17 15:02 fredreichbier

7f017ade adds the feature of testing the connection to the LDAP backend on startup -- it just performs an anonymous bind followed by an unbind. Right now, it just prints a message to the log (on success and in the case of an error), but doesn't exit the daemon.

fredreichbier avatar Feb 17 '17 15:02 fredreichbier

b45fca56ccd0ce00443bae1f0ce7594bcaa28d07 uses the service account to test the connection.

fredreichbier avatar Jun 28 '17 18:06 fredreichbier

Can we close this? Or does it still hang - we only get a reasonable error message?

cornelinux avatar Jun 28 '17 19:06 cornelinux

I just noticed: In case the proxy cannot reach the LDAP backend (e.g. wrong IP), it prints a message to the log only after a 30 second timeout. Maybe we should just sys.exit(1) in case the LDAP backend cannot be reached (which could take 30 seconds, however)?

fredreichbier avatar Jun 29 '17 17:06 fredreichbier