I see that sssd supports enabling referral support in libldap, but sssd doesn't seem to be registering a rebind callback (with ldap_set_rebind_proc) for libldap to use when it needs to bind to a new server.
If sssd doesn't do that, then referrals to other servers will be done anonymously, which I don't think is going to provide the desired results if sssd has been configured to authenticate to its primary server.
My personal preference would be for sssd to not depend on libldap's ability to chase referrals, but to queue up referral responses itself for following after processing results of the currently-executing search, and handling server binds directly as a part of that. That said, providing a callback may simply be more expedient.
A note of warning: beware of reintroducing CVE-2005-2069 when you're following referrals.
milestone: NEEDS_TRIAGE => SSSD 1.4.0
owner: somebody => jhrozek
Raising priority to critical.
This issue is hitting Active Directory users particularly hard, since forests are almost always configured to require authentication for referrals.
priority: major => critical
owner: jhrozek => sbose
priority: critical => blocker
fixed by bfb9e9c08d9cd830963fbf5e65a23ef673c82258
resolution: => fixed
status: new => closed
rhbz: => 0
Metadata Update from @nalin:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.5.0
to comment on this ticket.
Copyright © 2014-2017 Red Hat
3.6 — Documentation