This issue was originaly reported in Red Hat Bugzilla
Currently the LDAP provider treats all URIs as network-resolvable. That is not true for ldapi:// as the path points to a UNIX socket.
We might create a very thin layer atop be_resolve_server_* in the ldap provider that would just return and call the specified callback when ldapi:// is found and descend to regular resolving otherwise. This may be a little over engineering as someone who uses ldapi:// is extremely unlikely to have another (remote) server configured, but should cover all cases, even with failover.
This ticket has a few other considerations that we need to make.
For example, should we waive the encryption requirement for authentication if we're talking only to a local socket? If so, we also need to coordinate with authconfig to adjust the UI to understand that.
component: SSSD => LDAP Provider
doc: 0 => 1
tests: 0 => 1
Similar issue has been recently discussed for nss_ldap. OpenLDAP using ldapi:// doesn't support TLS encryption using STARTTLS function and upstream decided that it will remain this way (NSS used in new versions of OpenLDAP doesn't even support local sockets). They suggested using starttls URL extension in RHEL5, but I guess that's not an option for new OpenLDAP either.
milestone: NEEDS_TRIAGE => SSSD 1.6.0
summary: SSSD LDAP provider should support ldapi:// => SSSD LDAP provider should support ldapi:// for optimized lookups on a local LDAP server
type: defect => enhancement
milestone: SSSD 1.6.0 => SSSD 1.7.0
upgrade: => 0
milestone: SSSD 1.8.0 => SSSD 1.9.0
patch: => 0
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=627763 627763]
milestone: SSSD 1.9.0 => SSSD Deferred
Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD Patches welcome
to comment on this ticket.
Copyright © 2014-2017 Red Hat
2.13.2 — Documentation