On Thu, Oct 11, 2012 at 09:44:46AM -0400, Simo Sorce wrote:
On Thu, 2012-10-11 at 10:52 +0200, Jakub Hrozek wrote:
> The IPA has a defined directory tree structure that allows us to guess
> the username from a DN without having to look up the DN in LDAP.
Jakub,
it looks like you always take the shortcut in this case.
I am not comfortable with that, I'd rather you check the DN matches the
expected tree structure, and fallback to the classic method if not.
This allows us to future-proof sssd if we were to relax constraints
later on in IPA and allow for adding users and groups in custom OUs,
while keeping the optimization for the current DIT.
Simo.
I already check if the DN matches the expected tree structure, check out
sdap_nested_get_ipa_user(). But you're right that failure to parse the
user should not be fatal.
I attached new patches that fall back to an LDAP lookup if the DN
heuristics fail.