#1557 [RFE] Use the Global Catalog in SSSD for the AD provider
Closed: Fixed None Opened 11 years ago by simo.

We should use the Global Catalog to do SID -> Name resolution and also SID -> Posix ID resolution.
The Global Catalog is the only correct way to handle AD Forests as it contains a summary of data from all domains in the forest. Using LDAP confines us to just the specific domain the AD server is part of, but not the rest of the forest.
This means we may fail to resolve some of the SIDs for accunts that have group memberships spreads across a Forest.

Also the Global Catalog can be configured to exposed RFC2307 attributes, we should take advantage of this when available.

Not all AD servers are Global Catalog servers. So the address resolution for the Global Catalog need to be independent from the special 'ad port' trick, as the AD server we use for Krb/LDAP is not necessarily the same we want to use as Global Catalog.
The local 'Site' should be used in preference for the Global Catalog as well.

Related to #364

milestone: NEEDS_TRIAGE => SSSD 1.10 beta
rhbz: => 0
summary: Use the Global Catalog in SSSD for the AD provider => [RFE] Use the Global Catalog in SSSD for the AD provider

Fields changed

priority: major => critical

Fields changed

design: =>
design_review: => 0
fedora_test_page: =>
selected: => Want

Fields changed

review: => 0

Fields changed

owner: sbose => jhrozek
status: new => assigned

Fields changed

patch: 0 => 1

Fields changed

changelog: => Currently SSSD uses the standard LDAP interface of Active Directory to lookup users and groups when joined to an Active Directory domain. But the LDAP interface only offers information for users and groups of the local domain and not from the whole forest. This information is available in the Global Catalog of an Active Directory domain.
To make lookups of users and groups from the whole forest easier SSSD should use the Global Catalog instead of the standard LDAP interface for the lookups.

Metadata Update from @simo:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.10 beta

6 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2599

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.