Hi,
we're debating what is the right approach to GC lookups by default, but
for the 1.11.3 release, we should offer an option to fall back from GC
to LDAP. The attached patches do that.
[PATCH 1/3] AD: Add a utility function to create list of connections
ad_id.c and ad_access.c used the same block of code. With the upcoming
option to disable GC lookups, we should unify the code in a function to
avoid breaking one of the code paths.
Defaulting to GC for access provider is safe, as you can see in
ad_access.c we retry on any denial against the GC to make sure we don't
miss an attribute from LDAP.
[PATCH 2/3] AD: Add a new option to turn off GC lookups
Adds the option.
[PATCH 3/3] AD: Enable fallback to LDAP of trusted domain
Since we have the LDAP port of a trusted AD GC always available now, we
can always perform a fallback.
I'm fine with leaving the patch out of 1.11.3 if the other developers
think we should stricly limit ourselves to what we've agreed on.