Ticket #1155 (closed defect: wontfix)

Opened 2 years ago

Last modified 2 years ago

SSSD should set up multiple search bases for multiple namingContexts entries

Reported by: sgallagh Owned by: somebody
Priority: major Milestone: void
Component: LDAP Provider Version: 1.7.0
Keywords: Cc:
Blocked By: Blocking:
Tests Updated: no Coverity Bug:
Patch Submitted: no Red Hat Bugzilla: 784984
Design link:
Feature Milestone:
Design review: Fedora test page:
Chosen: Candidate to push out:
Release Notes:

Description

Currently, SSSD cannot handle the existence of multiple namingContexts entries in the RootDSE without a corresponding defaultNamingContext attribute telling it which one it should use.

This is done for historical reasons, before we supported multiple search bases. We should update this code to generate a multiple search base for missing ldap_*_search_base entries.

Change History

comment:1 Changed 2 years ago by sgallagh

  • Red Hat Bugzilla set to [https://bugzilla.redhat.com/show_bug.cgi?id=784984 784984]

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=784984

comment:2 Changed 2 years ago by sgallagh

  • Resolution set to wontfix
  • Status changed from new to closed

After lengthy discussion with Simo, I've been convinced that this is an unsafe idea. We will instead simply disable features whose bases are not available with a warning.

comment:3 Changed 2 years ago by sgallagh

  • Blocked By 1152 deleted

(In #1152) Ok, a third and better option was proposed by Simo on IRC.

Instead of failing if we cannot auto-detect a search base, we will simply disable LDAP lookups for any feature (sudo, services, etc.) for which we do not have a search base set. We'll do this by leaving the ldap_*_search_base as NULL and carefully checking for it at the start of any relevant lookup requests (we'll just return ENOENT and log a warning message at level zero).

comment:7 Changed 2 years ago by simo

  • Milestone changed from NEEDS_TRIAGE to void
Note: See TracTickets for help on using tickets.