Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ad: fallback to ldap if cldap is not available in libldap #5743

Closed
wants to merge 1 commit into from
Closed

ad: fallback to ldap if cldap is not available in libldap #5743

wants to merge 1 commit into from

Conversation

pbrezina
Copy link
Member

Some distributions do not have cldap support available in libldap. Now
we fallback to ad ping over ldap conditionally during build time.

Resolves: #5720

:fixes: AD ping is now sent over `ldap` if `cldap` support is not available
  during build. This helps to build SSSD on distributions without `cldap`
  support in `libldap`.

@pbrezina
ad: fallback to ldap if cldap is not available in libldap
97d1205 
Some distributions do not have cldap support available in libldap. Now
we fallback to ad ping over ldap conditionally during build time.

Resolves: SSSD#5720

:fixes: AD ping is now sent over `ldap` if `cldap` support is not available
  during build. This helps to build SSSD on distributions without `cldap`
  support in `libldap`.
@pbrezina pbrezina mentioned this pull request Aug 11, 2021
Closed
@alexey-tikhonov alexey-tikhonov mentioned this pull request Aug 11, 2021
Closed
@justin-stephenson
Copy link
Contributor

Hi, I compiled openldap-2.5.6 without CLDAP support on fedora rawhide.

  • Before the PR:
(2021-08-17 14:25:02): [be[ad.vm]] [ad_cldap_ping_send] (0x0400): Sending CLDAP ping
(2021-08-17 14:25:02): [be[ad.vm]] [ad_cldap_ping_domain_discovery_done] (0x0400): Found 1 domain controllers in domain ad.vm
(2021-08-17 14:25:02): [be[ad.vm]] [sdap_connect_host_resolv_done] (0x0400): Connecting to cldap://root-dc.ad.vm:389
(2021-08-17 14:25:02): [be[ad.vm]] [sss_ldap_init_sys_connect_done] (0x0020): ldap_init_fd failed: Bad parameter to an ldap routine. [22][cldap://root-dc.ad.vm:389]
(2021-08-17 14:25:02): [be[ad.vm]] [ad_cldap_ping_done] (0x0040): Unable to get site and forest information [2]: No such file or directory
  • After the PR:
[root@master.client.vm ~]# egrep -irn 'sdap_connect_host_send|cldap' /var/log/sssd/sssd_ad.vm.log 
457:(2021-08-17 15:02:17): [be[ad.vm]] [ad_cldap_ping_send] (0x0400): Sending CLDAP ping
477:(2021-08-17 15:02:17): [be[ad.vm]] [ad_cldap_ping_domain_discovery_done] (0x0400): Found 1 domain controllers in domain ad.vm
478:(2021-08-17 15:02:17): [be[ad.vm]] [sdap_connect_host_send] (0x0400): Resolving host root-dc.ad.vm
506:(2021-08-17 15:02:17): [be[ad.vm]] [ad_cldap_ping_dc_done] (0x0400): root-dc.ad.vm:389: found site (Default-First-Site-Name) and forest (ad.vm)
507:(2021-08-17 15:02:17): [be[ad.vm]] [ad_cldap_ping_done] (0x0400): Found site: Default-First-Site-Name
508:(2021-08-17 15:02:17): [be[ad.vm]] [ad_cldap_ping_done] (0x0400): Found forest: ad.vm
1330:(2021-08-17 15:02:31): [be[ad.vm]] [ad_cldap_ping_send] (0x0400): [RID#6] CLDAP ping is not necessary, using site 'Default-First-Site-Name' and forest 'ad.vm'

The only issue I see is that the 'CLDAP' ping log messages are misleading (ldap ping instead). The function names also, but changing those is not worth it IMO (too invasive for this).

I'm not sure if it should block the PR but It would also be helpful if one of the users reporting this issue could test out the patch.

@sven-probst
Copy link

Applying this patch to the debian bullseye package src fixes the problem with sssd/ad-group lookups.

@pbrezina
Copy link
Member Author

pbrezina commented Sep 9, 2021

Thanks. @justin-stephenson We can't change name of the functions, perhaps we could change CLDAP -> LDAP in debug messages but I don't think its worth it as well. Are you going to ack this,

@justin-stephenson
Copy link
Contributor

Ack from my side.

@pbrezina pbrezina added the Ready to push Ready to push label Sep 13, 2021
@pbrezina
Copy link
Member Author

Pushed PR: #5743

  • master
    • dfb6594 - ad: fallback to ldap if cldap is not available in libldap

@pbrezina pbrezina added Pushed and removed Accepted Ready to push Ready to push labels Sep 13, 2021
@pbrezina pbrezina closed this Sep 13, 2021
@pbrezina pbrezina deleted the cldap-tcp branch April 13, 2022 10:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justin-stephenson justin-stephenson Awaiting requested review from justin-stephenson

Assignees

@justin-stephenson justin-stephenson

Labels
Pushed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SSSD requirement for CLDAP support in libldap should be optional
3 participants
@pbrezina @justin-stephenson @sven-probst