On Tue, Sep 02, 2014 at 02:38:38PM +0200, Jakub Hrozek wrote:
> On Tue, Sep 02, 2014 at 01:50:46PM +0200, Pavel Reichl wrote:
>> On 08/20/2014 03:20 PM, Jakub Hrozek wrote:
>>> Hi,
>>>
>>> with the current SSSD code, an LDAP search that results in a referral
>>> fails completely with EIO and usually sends the whole backend to
>>> offline mode. I think this is too strict and if the admin chose to
>>> ignore referrals, we should just skip these results.
>>>
>>> John Hodrien in particular was hit by us treating referrals as fatal in
>>> environment where he needs to restrict the search scope by using custom
>>> LDAP search bases.
>>>
>>> Also, in cases where Global Catalog support is disabled or GC not available
>>> and a group contains a user from a trusted domain, trying to search for
>>> this DN yields a referral.
>>>
>>> Attached is a patch that ignores referrals when the admin set
>>> ldap_referrals=false in the config file.
>>>
>>> Given the sdap async code is quite old and I don't remember all the
>>> use-cases, I CC-ed Stephen directly to get some advice. Is there any
>>> risk in ignoring referrals?
>>>
>>>
>>> _______________________________________________
>>> sssd-devel mailing list
>>> sssd-devel(a)lists.fedorahosted.org
>>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
>> ACK
> * master a2ea3f5d9ef9f17efbb61e942c2bc6cff7d1ebf2
Can you also review the attached version for 1.11 ? It just removes
printing the hunk that prints referral as that part wasn't present in
master.
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel