#1155 SSSD should set up multiple search bases for multiple namingContexts entries

Created 5 years ago by sgallagh
Modified 12 hours ago

Currently, SSSD cannot handle the existence of multiple namingContexts entries in the RootDSE without a corresponding defaultNamingContext attribute telling it which one it should use.

This is done for historical reasons, before we supported multiple search bases. We should update this code to generate a multiple search base for missing {{{ldap_*_search_base}}} entries.

After lengthy discussion with Simo, I've been convinced that this is an unsafe idea. We will instead simply disable features whose bases are not available with a warning.

resolution: => wontfix
status: new => closed

(In #1152) Ok, a third and better option was proposed by Simo on IRC.

Instead of failing if we cannot auto-detect a search base, we will simply disable LDAP lookups for any feature (sudo, services, etc.) for which we do not have a search base set. We'll do this by leaving the {{{ldap_*_search_base}}} as NULL and carefully checking for it at the start of any relevant lookup requests (we'll just return ENOENT and log a warning message at level zero).

blockedby: 1152 =>

Fields changed

milestone: NEEDS_TRIAGE => void

12 hours ago

Metadata Update from @sgallagh:
- Issue set to the milestone: void

Login to comment on this ticket.

defect

LDAP Provider

1.7.0

0

0

https://bugzilla.redhat.com/show_bug.cgi?id=784984

cancel