[python-ldap] Strange network problems?

Michael Ströder michael at stroeder.com
Mon Sep 18 12:35:35 EDT 2017


Aigars Grins wrote:
> I have a python daemon that uses gevent + daemonize + python-ldap.
> That python daemon runs on a Debian 8 machine and connects to an
> OpenLDAP daemon running on FreeBSD. Now and then the LDAP daemon is
> restarted. When that happens, the python daemon looses it's
> capability to create new connections. [SERVER_DOWN] {'info': "Error
> in the system's randomness device.", 'errno': 11, 'desc': "Can't
> contact LDAP server"}

libldap on Debian is linked against GnuTLS. Maybe there's an issue with 
that? Sure there's enough entropy? Does GnuTLS do OCSP queries, CRL 
lookups or similar under the hood?

Which version of python-ldap is this?

> Also, any existing connections are now somehow broken. When the
> python daemon code tries to use them, they block. Even though I use
> `search_st(timeout = 120.0)`. Trying to create new connections can
> sometimes, but not always, also block. Even though I use `cnxn =
> initialize(url); cnxn.set_option(OPT_NETWORK_TIMEOUT, 10.0);
> cnxn.set_option(OPT_X_TLS_NEWCTX, 0); cnxn.simple_bind(bind,
> password)`. Most often though, new connections are simply not
> possible to create.

I have no idea what's going on in your code but some remarks for the 
general understanding:

When opening new connections via libldap a module-wide lock is used in 
module-wide ldap to serialize the calls to libldap's function 
ldap_initialize() but which only initializes the struct in libldap. Or 
course this affects reconnecting in ReconnectLDAPObject. So if your LDAP 
server is restarted reconnecting hits the module-wide locking and 
reconnecting a connection pool will be serialized.

If you set ldap._trace_level = 3 then you should see whether global or 
connection-specific lock is used.

BTW: Do you really need a connection pool for parallel long-running LDAP 
queries?

> Previously I've had a related issue which I believe is more to do with
> gevent.

Sorry, I have never used gevent.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20170918/31dd7508/attachment.bin>


More information about the python-ldap mailing list