Red Hat Bugzilla – Bug 741264
[RFE] SSSD should chase referrals explicitly
Last modified: 2016-01-18 15:51:04 EST
Description of problem: Active Directory performs some referral chasing that is incompatible with the referral mechanism included in the openldap libraries. Notably, Active Directory will sometimes attempt to return a referral on an LDAP bind attempt, which used to cause a hang and is now simply denied by the openldap libraries. Version-Release number of selected component (if applicable): sssd-1.5.1-52.el6 How reproducible: Intermittent Steps to Reproduce: 1. Exact steps unknown. Related to the layout of users and groups on the AD server. 2. 3. Actual results: Performance issues and occasional failures resulting in missing information (forces SSSD to go offline) Expected results: All referrals should be traced properly. Additional info: In the majority of deployments (those not using partial replication to replicate only local users and groups), referral-chasing is unnecessary. In such cases, the recommended workaround is to disable referral-chasing by setting 'ldap_referrals = false' in the [domain/DOMAINNAME] section of sssd.conf This issue is being tracked upstream by https://fedorahosted.org/sssd/ticket/860 by rewriting the referral code and processing it in the SSSD instead of relying on the openldap libraries to do it.
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux. Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as DEFERRED. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you. Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.