-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/13/2016 07:25 AM, Pavel Březina wrote: > https://fedorahosted.org/sssd/ticket/2906 > > Hi, I'm CCing Stephen as he is original author of the code. > > Without this patch I am not able to work with AD when > ldap_referrals=true, with this patch it works. I'm not sure though > if it is a correct fix or if we can find a better one. > > As the removed comment says the referrals should be processed by > openldap so why aren't they?
So, I never actually tested that particular code-path, I think. Looking at the code now, I think I see the mistake. There are two cases where the openldap lookup can return referrals. One is the case where the result code of the lookup is LDAP_REFERRAL. That is the situation where the LDAP server has responded that ALL results must come from somewhere else (equivalent to HTTPs 304 code). However, there's also the case where we get LDAP_SUCCESS which also has some referrals that may contain *additional* results. This is the codepath that you're hitting with this bug. Now, I have no idea why the openldap libraries actually return the referral information on this codepath, since in theory it is just supposed to follow it magically under the hood, but I have some suspicions. Among many other abominations, AD's returned referral URIs are often unfollowable. Instead of returning referrals to specific systems, they return referrals whose hostname is simply the domain in question. (Which means that the client is randomly sent to one of the domain controllers that serve that domain). However, Windows machines do some sort of magic under the hood in order to have the TLS certificates actually work in that case. So my guess here is that when openldap discovers it cannot *actually* process the referral, rather than failing it just returns it as extra information so the application can attempt to solve it on its own. I should also note that OpenLDAP upstream discourages the use of the internal referral chasing as it rarely works properly. In conclusion: go ahead and remove that section of code entirely. While you're there, could you fix a minor memory bug as well? I forgot to talloc_free(refs) on the success case. It's not a major issue since it's allocated on a request that almost certainly gets freed soon after this function returns, but since the memory is no longer used after this (we don't return it), it's a good convention to clear it here . -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlaWYv0ACgkQeiVVYja6o6OAPgCeJ4clX3AQHAmneAMZDLWusY3D qKkAnj+ozhh83H3IYukaYbuwlBUd8fl0 =9PKT -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
