Ticket #609 (new enhancement)

Opened 4 years ago

Last modified 2 years ago

SSSD LDAP provider should support ldapi:// for optimized lookups on a local LDAP server

Reported by: jhrozek Owned by: somebody
Priority: major Milestone: SSSD Deferred
Component: LDAP Provider Version: 1.3.1
Keywords: Cc:
Blocked By: Blocking:
Tests Updated: no Coverity Bug:
Patch Submitted: no Red Hat Bugzilla: 627763
Design link:
Feature Milestone:
Design review: Fedora test page:
Chosen: Candidate to push out:
Release Notes:

Description

This issue was originaly reported in Red Hat Bugzilla

Currently the LDAP provider treats all URIs as network-resolvable. That is not true for ldapi:// as the path points to a UNIX socket.

We might create a very thin layer atop be_resolve_server_* in the ldap provider that would just return and call the specified callback when ldapi:// is found and descend to regular resolving otherwise. This may be a little over engineering as someone who uses ldapi:// is extremely unlikely to have another (remote) server configured, but should cover all cases, even with failover.

Change History

comment:1 Changed 4 years ago by sgallagh

  • Component changed from SSSD to LDAP Provider
  • tests changed from 0 to 1
  • doc changed from 0 to 1

This ticket has a few other considerations that we need to make.

For example, should we waive the encryption requirement for authentication if we're talking only to a local socket? If so, we also need to coordinate with authconfig to adjust the UI to understand that.

comment:2 Changed 4 years ago by jzeleny

Similar issue has been recently discussed for nss_ldap. OpenLDAP using ldapi:// doesn't support TLS encryption using STARTTLS function and upstream decided that it will remain this way (NSS used in new versions of OpenLDAP doesn't even support local sockets). They suggested using starttls URL extension in RHEL5, but I guess that's not an option for new OpenLDAP either.

comment:3 Changed 4 years ago by sgallagh

  • Type changed from defect to enhancement
  • Milestone changed from NEEDS_TRIAGE to SSSD 1.6.0
  • Summary changed from SSSD LDAP provider should support ldapi:// to SSSD LDAP provider should support ldapi:// for optimized lookups on a local LDAP server

comment:4 Changed 3 years ago by dpal

  • upgrade set to 0
  • Milestone changed from SSSD 1.6.0 to SSSD 1.7.0

comment:5 Changed 3 years ago by dpal

  • Milestone changed from SSSD 1.8.0 to SSSD 1.9.0
  • Patch Submitted unset

comment:6 Changed 2 years ago by mkosek

  • Red Hat Bugzilla set to [https://bugzilla.redhat.com/show_bug.cgi?id=627763 627763]

comment:7 Changed 2 years ago by dpal

  • Milestone changed from SSSD 1.9.0 to SSSD Deferred
Note: See TracTickets for help on using tickets.