On Tue, Sep 02, 2014 at 03:20:46PM +0200, Pavel Reichl wrote:
On 09/02/2014 02:48 PM, Jakub Hrozek wrote:
>On Tue, Sep 02, 2014 at 02:38:38PM +0200, Jakub Hrozek wrote:
>>On Tue, Sep 02, 2014 at 01:50:46PM +0200, Pavel Reichl wrote:
>>>On 08/20/2014 03:20 PM, Jakub Hrozek wrote:
>>>>Hi,
>>>>
>>>>with the current SSSD code, an LDAP search that results in a referral
>>>>fails completely with EIO and usually sends the whole backend to
>>>>offline mode. I think this is too strict and if the admin chose to
>>>>ignore referrals, we should just skip these results.
>>>>
>>>>John Hodrien in particular was hit by us treating referrals as fatal in
>>>>environment where he needs to restrict the search scope by using custom
>>>>LDAP search bases.
>>>>
>>>>Also, in cases where Global Catalog support is disabled or GC not
available
>>>>and a group contains a user from a trusted domain, trying to search for
>>>>this DN yields a referral.
>>>>
>>>>Attached is a patch that ignores referrals when the admin set
>>>>ldap_referrals=false in the config file.
>>>>
>>>>Given the sdap async code is quite old and I don't remember all the
>>>>use-cases, I CC-ed Stephen directly to get some advice. Is there any
>>>>risk in ignoring referrals?
>>>>
>>>>
>>>>_______________________________________________
>>>>sssd-devel mailing list
>>>>sssd-devel(a)lists.fedorahosted.org
>>>>https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
>>>ACK
>>* master a2ea3f5d9ef9f17efbb61e942c2bc6cff7d1ebf2
>Can you also review the attached version for 1.11 ? It just removes
>printing the hunk that prints referral as that part wasn't present in
>master.
>
ACK
* sssd-1-11: e6c56ab04e9b3669a7f7a87e49752c22d72e8e8a