[Freeipa-devel] [PATCH 0081] Skip referrals when converting LDAP result to LDAPEntry

Alexander Bokovoy abokovoy at redhat.com
Thu Jul 25 07:28:05 UTC 2013 

On Thu, 25 Jul 2013, Petr Spacek wrote:
>On 25.7.2013 09:03, Alexander Bokovoy wrote:
>>On Thu, 25 Jul 2013, Petr Spacek wrote:
>>>On 24.7.2013 22:18, Tomas Babej wrote:
>>>>Hi,
>>>>
>>>>When converting the result obtained by python-ldap library,
>>>>we need to skip unresolved referral entries, since they cannot
>>>>be converted.
>>>>
>>>>https://fedorahosted.org/freeipa/ticket/3814
>>>
>>>I'm not sure if a simple 'skip it' approach is the right one. Shouldn't it
>>>print/log a warning at least? Do you know all implications? Are you sure
>>>that this will not break something else silently?
>>>
>>>(BTW isn't the right approach to fix python-ldap? Or is it a quirk in AD?)
>>AD DC often answers with proper result and then several referrals to
>>other internal resources to complement the search if you are asking for
>>wide-open search (default). We are not interested in these referrals for
>>various reasons, including the fact that we are looking at the
>>authoritative DC and it has all the needed info.
>>
>>At best, we could define an option that forces us doing referral chasing
>>to fetch remaining results but this is not something really needed right
>>now.
>
>I understand that we don't need referrals now, but the question is 
>'Could it break something? Silently? In the future?'.
Not in the codepath for AD. We disabled referrals chasing in SSSD when
talking to AD as well.

There is currently one place where referrals are actively used in IPA
deployment and it is Schema Compatibility plugin which issues referral
for an authenticated bind to the main LDAP tree. However, it seems to be
broken as majority of OpenLDAP installs have defaults to referral
chasing switched off.

>E.g. the option 'follow referrals' (defaulting to False) is IMHO much much better.
Agreed. Actually, since we have access to the connection object, upper
layer code can set referral handling manually via ldap_set_option().
This means we can check at this place on whether the connection has
referral chasing disabled (ldap_get_option(conn, LDAP_OPT_REFERRALS, &value) in C)
and issue exception here.


>The point is that we don't need to implement referral chasing right 
>now, just thrown an exception if somebody tries to switch 'follow 
>referrals' option to True. IMHO this will prevent surprises in the 
>future, because it is absolutely clear that referrals are not 
>followed.
Yes, definitely, though I'd prefer to sense the option from existing
LDAP connection.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list