#1155 SSSD should set up multiple search bases for multiple namingContexts entries

Created 5 years ago by sgallagh
Modified 8 months ago

Currently, SSSD cannot handle the existence of multiple namingContexts entries in the RootDSE without a corresponding defaultNamingContext attribute telling it which one it should use.

This is done for historical reasons, before we supported multiple search bases. We should update this code to generate a multiple search base for missing {{{ldap_*_search_base}}} entries.

After lengthy discussion with Simo, I've been convinced that this is an unsafe idea. We will instead simply disable features whose bases are not available with a warning.

resolution: => wontfix
status: new => closed

(In #1152) Ok, a third and better option was proposed by Simo on IRC.

Instead of failing if we cannot auto-detect a search base, we will simply disable LDAP lookups for any feature (sudo, services, etc.) for which we do not have a search base set. We'll do this by leaving the {{{ldap_*_search_base}}} as NULL and carefully checking for it at the start of any relevant lookup requests (we'll just return ENOENT and log a warning message at level zero).

blockedby: 1152 =>

Fields changed

milestone: NEEDS_TRIAGE => void

8 months ago

Metadata Update from @sgallagh:
- Issue set to the milestone: void

Login to comment on this ticket.


LDAP Provider