When using Active Directory as a generic LDAP source as:
id_provider = ldap
Without 'ldap_referrals = False' sssd becomes unresponsive and unable to service queries. I suspect this is due to AD always returning referrals on every ldap query, and SSSD following them in an infinite loop.
SSSD should not visit a referral more than once during processing to prevent this issue. Alternately, if this is not the cause of the issue, then SSSD should be able to handle these more efficiently.
The issue why sssd becomes unresponsive is well known. I'm not sure if it's an infinite loop or that the rebinding to the referrals is blocking.
We've tried in the distant past to implement asynchronous referral chasing in SSSD itself, but it was a really huge task without a clear benefit -- instead, documenting to disable referrals and disabling them by default with the AD provider which is what most people are using was "good enough".
Since this is so far the only request to follow referrals in an AD setup, I'm not sure we're going to find the time to work on this ourselves. Instead, I would file the ticket into the 'patches welcome' part..
Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD Patches welcome
to comment on this ticket.
Copyright © 2014-2018 Red Hat
4.0.3 — Documentation