Age | Commit message (Collapse) | Author | Files | Lines |
|
Related: https://fedorahosted.org/sssd/ticket/2070
Since we are recommending to configure the POSIX attributes so that they
are replicated to the Global Catalog, we can start connecting to the GC
by default even for local users. If the object is not matches in the GC,
there is a possibility to fall back to LDAP.
|
|
https://fedorahosted.org/sssd/ticket/2067
Some AD or AD-like servers do not contain the netlogon attribute in the
master domain name. Instead of failing completely, we should just abort
the master domain request and carry on. The only functionality we miss
would be getting users by domain flat name.
|
|
https://fedorahosted.org/sssd/ticket/2068
With the current design, downloading master domain data was tied to
subdomains refresh, triggered by responders. But because enumeration is
a background task that can't be triggered on its own, we can't rely on
responders to download the master domain data and we need to check the
master domain on each enumeration request.
|
|
https://fedorahosted.org/sssd/ticket/1962
If the ipa_server_mode is selected IPA subdomain user and group lookups
are not done with the help of the extdom plugin but directly against AD
using the AD ID code.
|
|
https://fedorahosted.org/sssd/ticket/1557
Some lookups should be performed from GC only -- for example trusted
users are only present in the Global Catalog, while some lookups should
be performed from LDAP only as not all objects or attributes are
replicated to Global Catalog.
This patch adds a generic failover mechanism for identity lookups in the
AD provider that allows to choose the appropriate source and even fail over
to the other source if available.
|
|
Instead of using the default connection from the sdap_id_ctx, allow the
caller to specify which connection shall be used for this particular
request. Again, no functional change is present in this patch, just
another parameter is added.
|
|
In preparation for making be_req opaque
|
|
|
|
This new identity provider takes advantage of existing code for
the LDAP provider, but provides sensible defaults for operating
against an Active Directory 2008 R2 or later server.
|