It is currently possible to specify multiple LDAP server URIs
for failover purposes when using LDAP connection pooling, as this
functionality is provided in the underlying python-ldap module.
Unfortunately, failover does not work properly if LDAP timeout
issue are encountered due to the way python-LDAP works. If multiple
URLs are provided, the first URL that results in a successful TCP
connection is considered to be a successful LDAP connection. If the
initial bind operation fails due to a timeout waiting for an LDAP
response from the server, it will never failover to additional
URIs. It is easy to demonstrate this behavior by forcing an LDAP
server to hang (attach with gdb to halt the process), then using
that server as the first URI when creating a connection pool.
This patch adds proper failover logic to ldappool. If multiple URIs
are provided, we split them and attempt to connect to them one-by-one
until we have either had a successful LDAP bind operation, or we have
exhausted the list of URIs. The connection retry logic is processed
per-URI as well, meaning we will attempt to reconnect to the first
URI up to the requested retry limit, then we will failover to the
next URI and reset the retry count.
The ldap.TIMEOUT exception was not raised to the caller like some
of the other common LDAP exceptions we might encounter. We should
raise the TIMEOUT exception instead of the more generic BackendError
exception to provide more detail to the calling code.
Change-Id: Iabc13363d2425e70a53163249e5389d336274533
3f0ea8533a