You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, SSSD cannot handle the existence of multiple namingContexts entries in the RootDSE without a corresponding defaultNamingContext attribute telling it which one it should use.
This is done for historical reasons, before we supported multiple search bases. We should update this code to generate a multiple search base for missing {{{ldap_*_search_base}}} entries.
After lengthy discussion with Simo, I've been convinced that this is an unsafe idea. We will instead simply disable features whose bases are not available with a warning.
(In #1152) Ok, a third and better option was proposed by Simo on IRC.
Instead of failing if we cannot auto-detect a search base, we will simply disable LDAP lookups for any feature (sudo, services, etc.) for which we do not have a search base set. We'll do this by leaving the {{{ldap_*_search_base}}} as NULL and carefully checking for it at the start of any relevant lookup requests (we'll just return ENOENT and log a warning message at level zero).
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/1155
Currently, SSSD cannot handle the existence of multiple namingContexts entries in the RootDSE without a corresponding defaultNamingContext attribute telling it which one it should use.
This is done for historical reasons, before we supported multiple search bases. We should update this code to generate a multiple search base for missing {{{ldap_*_search_base}}} entries.
Comments
Comment from sgallagh at 2012-01-26 21:31:23
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=784984
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=784984 784984]
Comment from sgallagh at 2012-01-26 21:59:53
After lengthy discussion with Simo, I've been convinced that this is an unsafe idea. We will instead simply disable features whose bases are not available with a warning.
resolution: => wontfix
status: new => closed
Comment from sgallagh at 2012-01-26 22:02:00
(In #1152) Ok, a third and better option was proposed by Simo on IRC.
Instead of failing if we cannot auto-detect a search base, we will simply disable LDAP lookups for any feature (sudo, services, etc.) for which we do not have a search base set. We'll do this by leaving the {{{ldap_*_search_base}}} as NULL and carefully checking for it at the start of any relevant lookup requests (we'll just return ENOENT and log a warning message at level zero).
blockedby: 1152 =>
Comment from simo at 2012-03-08 15:25:48
Fields changed
milestone: NEEDS_TRIAGE => void
Comment from sgallagh at 2017-02-24 14:45:01
Metadata Update from @sgallagh:
The text was updated successfully, but these errors were encountered: