#777 Make IPA paths configurable or use base searches for HBAC related data
Closed: Fixed None Opened 13 years ago by sbose.

Currently the search paths for HBAC data are hardcoded. Chances are that these might change in future so a more flexible solution needs to be found.


Please add an {{{ipa_hbac_search_base}}} option to SSSD that defaults to {{{ldap_search_base}}} and perform lookups with an LDAP search expression including the HBAC objectClass.

doc: 0 => 1
milestone: NEEDS_TRIAGE => SSSD 1.5.1
priority: major => critical
tests: 0 => 1

We set ldap_search_base to "cn=accounts"+base_dn in ipa_common.c. So if we do not change this, too, I would suggest to default to the base_dn.

Unfortunately, we can't default to the base_dn for {{{ldap_search_base}}} in IPA because of the compat tree. If we search from the base, we always get duplicate entries (and it plays havoc with our processing).

Ah, sorry, I've meant to use the base DN as a default for ipa_hbac_search_base not for ldap_search_base.

fixed by 56789cf

resolution: => fixed
status: new => closed

Fields changed

rhbz: => 0

Metadata Update from @sbose:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.5.1

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1819

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata