#609 SSSD LDAP provider should support ldapi:// for optimized lookups on a local LDAP server

Created 7 years ago by jhrozek
Modified 11 months ago

This issue was originaly reported in Red Hat Bugzilla

Currently the LDAP provider treats all URIs as network-resolvable. That is not true for ldapi:// as the path points to a UNIX socket.

We might create a very thin layer atop be_resolve_server_* in the ldap provider that would just return and call the specified callback when ldapi:// is found and descend to regular resolving otherwise. This may be a little over engineering as someone who uses ldapi:// is extremely unlikely to have another (remote) server configured, but should cover all cases, even with failover.

This ticket has a few other considerations that we need to make.

For example, should we waive the encryption requirement for authentication if we're talking only to a local socket? If so, we also need to coordinate with authconfig to adjust the UI to understand that.

component: SSSD => LDAP Provider
doc: 0 => 1
tests: 0 => 1

Similar issue has been recently discussed for nss_ldap. OpenLDAP using ldapi:// doesn't support TLS encryption using STARTTLS function and upstream decided that it will remain this way (NSS used in new versions of OpenLDAP doesn't even support local sockets). They suggested using starttls URL extension in RHEL5, but I guess that's not an option for new OpenLDAP either.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.6.0
summary: SSSD LDAP provider should support ldapi:// => SSSD LDAP provider should support ldapi:// for optimized lookups on a local LDAP server
type: defect => enhancement

Fields changed

coverity: =>
milestone: SSSD 1.6.0 => SSSD 1.7.0
upgrade: => 0

Fields changed

milestone: SSSD 1.8.0 => SSSD 1.9.0
patch: => 0

Fields changed

blockedby: =>
blocking: =>
milestone: SSSD 1.9.0 => SSSD Deferred

11 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD Patches welcome

Login to comment on this ticket.


LDAP Provider