|
 |
5fca41 |
From 2c97edb4bd965499fe4cc39710de1a565c1b40d3 Mon Sep 17 00:00:00 2001
|
|
|
5fca41 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
5fca41 |
Date: Tue, 12 Mar 2019 12:48:48 +0100
|
|
|
5fca41 |
Subject: [PATCH 25/25] IPA: Use dereference for host groups even if the
|
|
|
5fca41 |
configuration disables dereference
|
|
|
5fca41 |
MIME-Version: 1.0
|
|
|
5fca41 |
Content-Type: text/plain; charset=UTF-8
|
|
|
5fca41 |
Content-Transfer-Encoding: 8bit
|
|
|
5fca41 |
|
|
|
5fca41 |
Related:
|
|
|
5fca41 |
https://pagure.io/SSSD/sssd/issue/3979
|
|
|
5fca41 |
|
|
|
5fca41 |
In some cases, it makes sense for performance reasons to disable
|
|
|
5fca41 |
dereference when processing user groups. But since processing of HBAC host
|
|
|
5fca41 |
groups is not much of a performance sensitive operation, we can get away
|
|
|
5fca41 |
with ignoring the client side setting and always using the dereference
|
|
|
5fca41 |
branch if the server supports the dereference call.
|
|
|
5fca41 |
|
|
|
5fca41 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
5fca41 |
(cherry picked from commit 9d63616000c0c886a6da87708a460218a9e24474)
|
|
|
5fca41 |
---
|
|
|
5fca41 |
src/man/sssd-ldap.5.xml | 11 +++++++++--
|
|
|
5fca41 |
src/providers/ipa/ipa_hosts.c | 2 +-
|
|
|
5fca41 |
2 files changed, 10 insertions(+), 3 deletions(-)
|
|
|
5fca41 |
|
|
|
5fca41 |
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
|
|
|
5fca41 |
index 5b858be62..25acc19e6 100644
|
|
|
5fca41 |
--- a/src/man/sssd-ldap.5.xml
|
|
|
5fca41 |
+++ b/src/man/sssd-ldap.5.xml
|
|
|
5fca41 |
@@ -1601,8 +1601,15 @@
|
|
|
5fca41 |
they are looked up individually.
|
|
|
5fca41 |
</para>
|
|
|
5fca41 |
<para>
|
|
|
5fca41 |
- You can turn off dereference lookups completely by
|
|
|
5fca41 |
- setting the value to 0.
|
|
|
5fca41 |
+ You can turn off dereference lookups completely
|
|
|
5fca41 |
+ by setting the value to 0. Please note that
|
|
|
5fca41 |
+ there are some codepaths in SSSD, like the IPA
|
|
|
5fca41 |
+ HBAC provider, that are only implemented using
|
|
|
5fca41 |
+ the dereference call, so even with dereference
|
|
|
5fca41 |
+ explicitly disabled, those parts will still
|
|
|
5fca41 |
+ use dereference if the server supports it
|
|
|
5fca41 |
+ and advertises the dereference control in the
|
|
|
5fca41 |
+ rootDSE object.
|
|
|
5fca41 |
</para>
|
|
|
5fca41 |
<para>
|
|
|
5fca41 |
A dereference lookup is a means of fetching all
|
|
|
5fca41 |
diff --git a/src/providers/ipa/ipa_hosts.c b/src/providers/ipa/ipa_hosts.c
|
|
|
5fca41 |
index 288bfb865..e209bca67 100644
|
|
|
5fca41 |
--- a/src/providers/ipa/ipa_hosts.c
|
|
|
5fca41 |
+++ b/src/providers/ipa/ipa_hosts.c
|
|
|
5fca41 |
@@ -157,7 +157,7 @@ ipa_host_info_done(struct tevent_req *subreq)
|
|
|
5fca41 |
return;
|
|
|
5fca41 |
}
|
|
|
5fca41 |
|
|
|
5fca41 |
- if (!sdap_has_deref_support(state->sh, state->opts)) {
|
|
|
5fca41 |
+ if (!sdap_has_deref_support_ex(state->sh, state->opts, true)) {
|
|
|
5fca41 |
DEBUG(SSSDBG_CRIT_FAILURE, "Server does not support deref\n");
|
|
|
5fca41 |
tevent_req_error(req, EIO);
|
|
|
5fca41 |
return;
|
|
|
5fca41 |
--
|
|
|
5fca41 |
2.19.1
|
|
|
5fca41 |
|