Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure how SSSD should access RootDSE. #7846

Closed
wants to merge 1 commit into from
Closed

Configure how SSSD should access RootDSE. #7846

wants to merge 1 commit into from

Conversation

thalman
Copy link
Contributor

@thalman thalman commented Feb 24, 2025

:config:The 'ldap_read_rootdse' option allows you to specify how SSSD will read RootDSE from the LDAP server. Allowed values are "anonymous", "authenticated" and "never"

@thalman thalman marked this pull request as ready for review February 26, 2025 19:32
@thalman
Copy link
Contributor Author

thalman commented Feb 26, 2025

One test is failing (test_ipa_subdom_server) because my changes exposed another issue. That is being fixed by @justin-stephenson right now. I will rebase once the fix is merged but code-wise this PR is ready for review.

@thalman
Copy link
Contributor Author

thalman commented Feb 27, 2025

blocked by #7854

justin-stephenson
justin-stephenson reviewed Feb 28, 2025
View reviewed changes
src/man/sssd-ldap.5.xml Outdated
</itemizedlist>
Note that when using the "anonymous" option, SSSD
may attempt to read RootDSE after authentication
if anonymous access fails.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't quite understand this statement. Can you elaborate?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it related to the comment in the code below?

     /* We did not read rootDSE during unauthenticated bind becase
     * it is unaccessible for anonymous user or because
     * ldap_read_rootdse is set to "authenticated"
     * Let's try to read it now */

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes it is related. The "anonymous" option basically enables current/original SSSD behavior. In this mode SSSD tries to read RootDSE anonymously but if that fails SSSD attempts to read it after authentication once again.

Failures are not critical - we can proceed without reading RootDSE if everything (like e. g. authentication mechanism) is set correctly manually in sssd.conf.

This option allows us to skip the attempts that would fail anyway due to LDAP server restrictions/custom setup and get rid of annoying error messages in the log in such environment.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for clarification. IMO the wording can be improved a bit. Something like

By default, using the "anonymous" option, SSSD tries to read RootDSE anonymously. If this fails SSSD retries the attempt with authentication.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, updated.

justin-stephenson
justin-stephenson approved these changes Mar 3, 2025
View reviewed changes
Copy link
Contributor

@justin-stephenson justin-stephenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack, thank you.

danlavu
danlavu reviewed Mar 6, 2025
View reviewed changes
@alexey-tikhonov
Copy link
Member

Re: release note: ":config:The 'ldap_read_rootdse' option allows ..." -- maybe better "New 'ldap_read_rootdse' option allows ..."?
Imo, it will read better in RNs text.

@thalman
Copy link
Contributor Author

thalman commented Mar 14, 2025

Re: release note: ":config:The 'ldap_read_rootdse' option allows ..." -- maybe better "New 'ldap_read_rootdse' option allows ..."? Imo, it will read better in RNs text.

Updated

@alexey-tikhonov
Copy link
Member

blocked by #7854

This PR was pushed.
@thalman, could you please rebase?

@thalman
Configure how SSSD should access RootDSE.
8e477f2 
:config:New 'ldap_read_rootdse' option allows you to specify how
SSSD will read RootDSE from the LDAP server. Allowed values are
"anonymous", "authenticated" and "never"

Resolves: SSSD#6665
@thalman
Copy link
Contributor Author

thalman commented Mar 21, 2025

rebased, let's wait for CI

@alexey-tikhonov alexey-tikhonov added coverity Trigger a coverity scan Ready to push Ready to push labels Mar 24, 2025
@alexey-tikhonov
Copy link
Member

Pushed PR: #7846

  • master
    • fcc1087 - Configure how SSSD should access RootDSE.
  • sssd-2-9
    • 1e9205d - Configure how SSSD should access RootDSE.

@alexey-tikhonov alexey-tikhonov mentioned this pull request Mar 24, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justin-stephenson justin-stephenson justin-stephenson approved these changes

@danlavu danlavu danlavu approved these changes

Assignees

@danlavu danlavu

@justin-stephenson justin-stephenson

Labels
branch: sssd-2-9 coverity Trigger a coverity scan Pushed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@thalman @alexey-tikhonov @danlavu @justin-stephenson