Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: LDAP auth retry on network failure. #3238

Open
csawyerYumaed opened this issue Aug 25, 2017 · 1 comment
Open

Feature Request: LDAP auth retry on network failure. #3238

csawyerYumaed opened this issue Aug 25, 2017 · 1 comment
Labels
auth/ldap enhancement

Comments

@csawyerYumaed
Copy link
Contributor

Feature Request:
When using TLS auth configured like this:
vault write auth/ldap/config url="ldaps://ad.example.com" starttls=true insecure_tls=false

and DNS ad.example.com resolves to >1 A/AAAA records.

If there is a network error, vault doesn't try again with a different host, instead it just fails. Assuming the error is a Network error, It would be nice if it would try again, with a different host.

Obviously, if you retry authentication, it will likely try a diff. host, so you can eventually auth, but you have to manually retry.

Environment:

  • Vault Version: Version: 0.8.1
  • Operating System/Architecture: Linux/x86

Vault Config File:

Startup Log Output:

Expected Behavior:

On Network Failure, it would try again. Assuming there are more hosts from DNS A records to try again.

Actual Behavior:

Error making API request.

URL: PUT https://vault.service.consul:8200/v1/auth/ldap/login/
Code: 400. Errors:

  • 1 error occurred:

  • error connecting to host "ldaps://ad.example.com": LDAP Result Code 200 "Network Error": x509: certificate is valid for SHDC.example.com, not example.com

The x509 cert problem is obviously MY problem (and it's being worked on, internally). I don't expect you to fix my cert issues :) For the time being we are using insecure_tls=true, until the AD team can figure out their cert problems, but at least they turned certs ON finally! :)

Steps to Reproduce:

Have a network error on an LDAP server, and watch vault fail, without retry.

Important Factoids:

References:
@vishalnayak
Copy link
Contributor

Issues that are not reproducible and/or not had any interaction for a long time are stale issues. Sometimes even the valid issues remain stale lacking traction either by the maintainers or the community. In order to provide faster responses and better engagement with the community, we strive to keep the issue tracker clean and the issue count low. In this regard, our current policy is to close stale issues after 30 days. Closed issues will still be indexed and available for future viewers. If users feel that the issue is still relevant but is wrongly closed, we encourage reopening them.

Please refer to our contributing guidelines for details on issue lifecycle.

@kalafut kalafut added the tmp/rt label Jun 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth/ldap enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@catsby @kalafut @vishalnayak @csawyerYumaed @narayan-iyengar