-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handling LDAP Referrals #406
Comments
Hi @arjan-saly-tfs, Since ldap2pg 4.13, ldap2pg has the same behaviour as ldapsearch, referrals are disabled by default. https://ldap2pg.readthedocs.io/en/latest/changelog/?h=referrals#ldap2pg-413 I agree that partiionned directory is a standard feature and ldap2pg should handle this. I need to spike this issue and design a way to handle this. ldap2pg design is based on the hypothesis of a single directory with a single connection. Which cover a large set of use cases. This need to be reviewed. |
@arjan-saly-tfs except from URI, can you reuse user, password and all connexions parameters accross directory servers ? |
When using binddn I can. When using SASL I cannot, then I need a different user/password for connection to the other "servers". By the way, after starting this ticket, I learnt that these different domain servers, actually are are different "forests". |
Handling referrals requires multiple binds to each server. I could design a first implementation that only accepts multiple LDAP connexions sharing same binddn/password or SASL user/password. I need to check how ldapsearch follows referrals to match the same behaviour. For the record, the first issue about referrals was #228 . |
Referrals is mentionned in python-ldap FAQ. https://www.python-ldap.org/en/python-ldap-3.4.0/faq.html?highlight=referrals#usage With REFERRALS=yes, libldap chase referrals using anonymous binding. This not what you want. Which SASL method do you use ? GSSAPI should best match this use case. |
I don't use a specific SASL method by choice (keep in mind I'm a database expert, not an LDAP expert) But does this line from the verbose output give the answer?
|
I try to make ldap2pg logs explicit enought for DBA, if something is not clear, please tell.
Yes, that's the anwser. Thanks. |
Hi,
First of all thanks for this great tool and superb documentation. As a database specialist I have no knowledge of Active Directory/LDAP, YAML or Python, but thanks to your documentation I was able to setup a successful synchronization from AD to PostgreSQL.
However, now I run into an issue I can't find a solution for:
We have multiple synchronized active directories, at least one in EMEA and one in the US. Perhaps more, but I'm only aware of those two. We also have multiple sub domains for (at least) emea and US.
Hence, we have these two:
When I configure ldap2pg to login to the EMEA AD server and configure a PostgreSQL synchronization for a group in the AMER domain, I get this error in the verbose=debug ouput:
[ldap2pg.script CRITI] Failed to query LDAP: {'info': u'Referral:\nldap://amer.OurCompany.com/OU=AWS,OU=Global,DC=amer,DC=OurCompany,DC=com', 'msgid': 4, 'msgtype': 101, 'result': 10, 'desc': u'Referral', 'ctrls': []}.
So, I digged a bit deeper using ldapsearch:
When I use ldapsearch to login to the emea AD/LDAP server and search for a group in an amer domain, I get only this result:
# search result search: 2 result: 10 Referral
Plus a link to the other AD server. But no group member details.
Doing it the other way around, I get the same results. Hence I can only get group members for groups of the domain that matches the AD-servers domain. I searched around a bit on the net and this seems like a pretty normal situation in the AD world, not duplicating the whole tree, but referring to the other server for details.
I need to be able to sync from both of these domains, how can I configure ldap2pg to search in both?
Thanks!
Arjan
The text was updated successfully, but these errors were encountered: