Learn more about these different git repos.
Other Git URLs
We need to support LDAP referrals in the LDAP provider. This is the last remaining major feature from nss_ldap that we are missing.
We need a boolean option added to the SSSD for whether to follow referrals returned by LDAP servers. Its default should be true.
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.1 owner: somebody => jhrozek
owner: jhrozek => sbose
nss_ldap depends on the referral support of the underlying LDAP library, here openLDAP. It simply uses the ldap.conf option 'referrals' and sets the LDAP option LDAP_OPT_REFERRALS. ldap_set_option(3) has the following note:
"The LDAP libraries with the LDAP_OPT_REFERRALS option set to LDAP_OPT_ON (default value) automatically follow referrals using an anonymous bind. Application developers are encouraged to either implement consistent referral chasing features, or explicitly disable referral chasing by setting that option to LDAP_OPT_OFF."
Do we want to have the same behaviour as nss_ldap and just let openLDAP follow the referrals with an anonymous bind or do we want to follow on our own? If we want to do it then we would need some config options which can specific how to connect to different LDAP server and I think we have to drop the connection to the primary LDAP server when it comes to SSL/TLS because oenLDAP uses the global context for this.
cc: => simo
fixed by the following commits:
- 7c8f422495347e6ff829246ebf5d7faad9f6d160 - 0d85b37ab0ede884408e68246ec21092c3718610 - c12530bed53c51bcf217624ad523ef2b6ddd16c0 - d927ba1d5be6f2e93034737884d7ec17eafe448f
Please not the referral chasing is not possible with OpenLDAP versions older than 2.4.12. This affects e.g. RHEL5 or SLES10
cc: simo => doc: 0 => 1 fixedin: => 1.1.0 resolution: => fixed status: new => closed
tests: 1 => 0 testsupdated: 0 => 1
ldap_referrals is descript in the sssd-ldap man page. The documentation should mention that the support of referrals is currently limited to the (usual) case where both directory tree have the same layout. Also the second server is always accessed anonymously.
Added this info to LDAP Referrals sub-section in RHEL 6 Deployment Guide. See also BZ 606922
ba46d42..784e8d9 master -> master
doc: 1 => 0 docupdated: 0 => 1
rhbz: => 0
Metadata Update from @sgallagh: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.1
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/1425
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.