On Thu, 2012-10-11 at 19:47 +0200, Jakub Hrozek wrote:
On Thu, Oct 11, 2012 at 09:44:46AM -0400, Simo Sorce wrote:
On Thu, 2012-10-11 at 10:52 +0200, Jakub Hrozek wrote:
The IPA has a defined directory tree structure that allows us to guess the username from a DN without having to look up the DN in LDAP.
Jakub, it looks like you always take the shortcut in this case. I am not comfortable with that, I'd rather you check the DN matches the expected tree structure, and fallback to the classic method if not. This allows us to future-proof sssd if we were to relax constraints later on in IPA and allow for adding users and groups in custom OUs, while keeping the optimization for the current DIT.
Simo.
I already check if the DN matches the expected tree structure, check out sdap_nested_get_ipa_user(). But you're right that failure to parse the user should not be fatal.
Yup I saw that, sorry for the poor wording, I was only asking for the fallback.
I attached new patches that fall back to an LDAP lookup if the DN heuristics fail.
They look good to me, but I wonder, should this be user specific ? Or are you going to add a similar set of patches for groups ?
Simo.