We are experiencing some errors in authentication and looking into the logs we discover ldap server down messages from time to time in the keystone log.
DEBUG Trace in keystone.log
2013-04-09 06:44:03 ERROR [root]
{'desc': "Can't contact LDAP server"}
Traceback (most recent call last):
File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 204, in _call_
File "/usr/lib/python2.6/site-packages/keystone/service.py", line 317, in authenticate
File "/usr/lib/python2.6/site-packages/keystone/common/manager.py", line 47, in _wrapper
File "/usr/lib/python2.6/site-packages/keystone/identity/backends/ldap/core.py", line 99, in authenticate
File "/usr/lib/python2.6/site-packages/keystone/identity/backends/ldap/core.py", line 175, in get_tenants_for_user
File "/usr/lib/python2.6/site-packages/keystone/identity/backends/ldap/core.py", line 137, in get_user
File "/usr/lib/python2.6/site-packages/keystone/identity/backends/ldap/core.py", line 132, in _get_user
File "/usr/lib/python2.6/site-packages/keystone/identity/backends/ldap/core.py", line 374, in get
File "/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py", line 245, in get
File "/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py", line 208, in _ldap_get
File "/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py", line 134, in get_connection
File "/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py", line 354, in simple_bind_s
File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 206, in simple_bind_s
File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 200, in simple_bind
File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 96, in _ldap_call
SERVER_DOWN:
{'desc': "Can't contact LDAP server"}
Having a look into the code, we observed that all ldap operations proceed in this way:
1) Open a connection
2) Binds with the username and password
3) Does the operation (search, add, ... )
It leaves to the garbage collector the procedure of freeing the resources. In the python-ldap documentation it is recommended that if you don't use the ldap connection anymore you should free the resources with an unbind.