Ticket #495 (closed defect: fixed)
ldap referrals are only ever followed anonymously
|Reported by:||nalin||Owned by:||sbose|
|Tests Updated:||no||Coverity Bug:|
|Patch Submitted:||Red Hat Bugzilla:||0|
|Design review:||Fedora test page:|
|Chosen:||Candidate to push out:|
I see that sssd supports enabling referral support in libldap, but sssd doesn't seem to be registering a rebind callback (with ldap_set_rebind_proc) for libldap to use when it needs to bind to a new server.
If sssd doesn't do that, then referrals to other servers will be done anonymously, which I don't think is going to provide the desired results if sssd has been configured to authenticate to its primary server.
My personal preference would be for sssd to not depend on libldap's ability to chase referrals, but to queue up referral responses itself for following after processing results of the currently-executing search, and handling server binds directly as a part of that. That said, providing a callback may simply be more expedient.
A note of warning: beware of reintroducing CVE-2005-2069 when you're following referrals.