In violation of the standard, some LDAP servers control access to
the RootDSE, thus preventing us from being able to read it before
performing a bind.
This patch will allow us to continue on if the RootDSE was
inaccessible. All of the places that we use the return value of
the RootDSE after this are already checked for NULL and use sane
defaults if the RootDSE is unavailable.
I was poking around related code today and realized that the fix for
this was actually very easy (as at present we are only using the result
of the rootDSE lookup to determine if we can perform a GSSAPI bind, but
it's already covered to just skip the check and assume that the server
is capable if the rootDSE object is empty.
There is one other place, in sdap_initgr_nested_send() where we have a
TODO in place to use the rootDSE to detect deref and ASQ support, but we
are not actually doing so yet anyway.
I think this will solve https://fedorahosted.org/sssd/ticket/497 easily,
and I think it's worth re-targeting to 1.2.2. This patch applies to both
master and sssd-1-2.
--
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
From f59400b6a695e601bad7242ec8d8f583492428b8 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgall...@redhat.com>
Date: Thu, 24 Jun 2010 14:06:07 -0400
Subject: [PATCH] Make RootDSE optional
In violation of the standard, some LDAP servers control access to
the RootDSE, thus preventing us from being able to read it before
performing a bind.
This patch will allow us to continue on if the RootDSE was
inaccessible. All of the places that we use the return value of
the RootDSE after this are already checked for NULL and use sane
defaults if the RootDSE is unavailable
---
src/providers/ldap/sdap_async.c | 3 ++-
src/providers/ldap/sdap_async_connection.c | 16 ++++++++++++++--
2 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index 20828d2b79e72bc47b32d3eaa96b57e0e1945c2f..f84032b3329cc98f88a2565f49be1cdabc9527fe 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -678,7 +678,8 @@ static void sdap_get_rootdse_done(struct tevent_req *subreq)
}
if (num_results == 0 || !results) {
- DEBUG(2, ("No RootDSE for server ?!\n"));
+ DEBUG(2, ("RootDSE could not be retrieved. "
+ "Check ACIs on RootDSE\n"));
tevent_req_error(req, ENOENT);
return;
}
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 14a1a4b7d2989a1623159cb5ef3caa041d0d5d52..98f5fb3dc4a0968a702421cc1c7814ff59be921b 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -1052,8 +1052,20 @@ static void sdap_cli_rootdse_done(struct tevent_req *subreq)
return;
}
- tevent_req_error(req, ret);
- return;
+ else if (ret == ENOENT) {
+ /* RootDSE was not available on
+ * the server.
+ * Continue, and just assume that the
+ * features requested by the config
+ * work properly.
+ */
+ state->use_rootdse = false;
+ }
+
+ else {
+ tevent_req_error(req, ret);
+ return;
+ }
}
sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH);
--
1.7.0.1
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
