Learn more about these different git repos.
Other Git URLs
sssd tries to always talk to the same LDAP server as long as this server is available. To achieve this the IP address of the LDAP server is resolved first and is used in the LDAP uri input parameter of ldap_initialize().
But typically TLS/SSL certificates do not contain the IP address of the LDAP server, but only the DNS name and the validation of the certificate of the LDAP server will fail if ldaps or StartTLS is used. If the certificate has the IP address of the server in the subject alternative name field it will work. But since the majority of the certificates will not have this field for good reasons, I think we cannot recommend this as a solution.
Form my point of view the best solution is to split the ldap_initialize() call into a socket() and a ldap_init_fd() call. This way we can connect with the IP address but use the hostname (or whatever is given in sssd.conf) in the LDAP session setup. Since there is only one place in sssd where we call ldap_initialize() this change rather small.
ldap_init_fd() is not defined in ldap.h but described in the man page. With a configure check for ldap_init_fd() and a fallback to ldap_initialize() we should be on the safe side.
Corresponding BZ entry https://bugzilla.redhat.com/show_bug.cgi?id=715609
owner: somebody => sbose
patch: 0 => 1
status: new => assigned
milestone: NEEDS_TRIAGE => SSSD 1.5.9
This was partially fixed in 1.5.9 and 1.5.10, but it left an LDAPS regression that was only fixed in 1.5.11.
component: SSSD => LDAP Provider
milestone: SSSD 1.5.9 => SSSD 1.5.11
priority: major => blocker
resolution: => fixed
status: assigned => closed
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=715609 715609]
Metadata Update from @sbose:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.5.11
SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here:
If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.
Thank you for understanding. We apologize for all inconvenience.
to comment on this ticket.