#1213 Warn to syslog when dereference requests fail
Closed: Fixed None Opened 7 years ago by jhrozek.

In some cases, the dereference search might fail - for example if the server incorrectly advertizes deref support or if the attribute we try to dereference is not a DN.

SSSD should fall back to individual lookups in this case. The hard part is picking the errors that would be non-fatal for the search. "Protocol error" and "Server refused to perform" might be a good start.


This is not really a bug in SSSD so much as a misconfiguration on the server. The original report was failing because someone had changed the OID on the LDAP member attribute so that it did not report as a DN.

We should just write a descriptive error message to the syslog in this case, so the administrator is aware that there is a problem on the LDAP server.

component: SSSD => LDAP Provider
milestone: NEEDS_TRIAGE => SSSD 1.9.0
owner: somebody => jhrozek
priority: major => minor
summary: If dereference failed, retry with individual lookups => Warn to syslog when dereference requests fail

Fields changed

keywords: => easyfix

Fields changed

owner: jhrozek => arielb
status: new => assigned

Fixed by:
- 02837b3 (master)
- f93b080 (sssd-1-8)

milestone: SSSD 1.9.0 => SSSD 1.9.0 beta 2
patch: 0 => 1
resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to arielb
- Issue set to the milestone: SSSD 1.9.0 beta 2

2 years ago

Login to comment on this ticket.

Metadata