#3538 RFE: Use the global catalog only to look up the entry DN
Closed: wontfix 3 years ago by pbrezina. Opened 6 years ago by jhrozek.

This ticket captures discussion between me and Sumit, with the ideas being mostly Sumit's.

At the moment, we try to use the Global Catalog to look up entries including all their attributes. But this is really brittle because not all attributes are present in the global catalog, especially those that are added as a schema extension. Also, when sssd requests some attributes but does not receive them, the LDAP provider removes the attributes from the cache, so different login attempts of the same user, some of which hit the global catalog and some of which hit the LDAP port present different data.

The proposal is about using the global catalog to only read the entry's DN, then use the DN to learn which domain the user is from and re-run the request against that domain's LDAP server only.


When working on this RFE, please be mindful of the scenario described in #3544

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD Future releases (no date set yet)

6 years ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1081046

6 years ago

Won't this potentially break sceanrios where the Global Catalog is accessible but the domain's LDAP server is not ? (I am thinking both of firewalling and also one direction trust cases).

It won't because that scenario doesn't work at the moment :-) At least tokenGroups are not replicated to GC (even though since recent versions we prefer the PAC if it's available), typically POSIX attributes are not replicated, IIRC some lockout attributes are not etc.

I guess what I am saying is we should allow people that properly replicate what we need in GC to use it.
We do not always have posix info at all in AD, and we should always use PAC not tokenGroups anyway.

Metadata Update from @thalman:
- Issue tagged with: Canditate to close

4 years ago

Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfill this request I am closing the issue as wontfix.

If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.

Thank you for understanding.

Metadata Update from @pbrezina:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4564

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata