#2077 [RFE] If originalDN is not available during LDAP auth, the SSSD should look it up
Closed: Fixed None Opened 5 years ago by dpal.

Ticket was cloned from Red Hat Bugzilla (product RHEL RFE): Bug 1001630

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

This RFE is to request the ability for SSSD to allow for custom attributes.

Currently if there is no original DN attribute (which is the case because proxy provider is used), we just attempt to construct the DN based on the username and the search base. That only works if the DNs on the server are in the form of uid=$username,$DN.

We need to perform another search (probably by UID) for cases where we don't know the original DN, retrieve the user, update his originalDN and resume the authentication.

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
review: True => 0
selected: =>
summary: [RFE] Allow for custom attributes in RDN when using id_provider = proxy => [RFE] If originalDN is not available during LDAP auth, the SSSD should look it up
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12 beta
type: defect => enhancement

There is a customer who is eager to test this functionality. I already have local patches.

owner: somebody => jhrozek
status: new => assigned

Fields changed

patch: 0 => 1

Fields changed

milestone: SSSD 1.12 beta => SSSD 1.11.3

resolution: => fixed
status: assigned => closed

Fields changed

changelog: => Allows the LDAP provider to look up the DN to bind with even if the identity provider didn't download the DN on its own. Mostly useful as a way to combine LDAP auth provider with non-LDAP ID provider.

Metadata Update from @dpal:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.11.3

2 years ago

Login to comment on this ticket.

Metadata