[Freeipa-devel] [PATCH 0081] Skip referrals when converting LDAP result to LDAPEntry
Tomas Babej
tbabej at redhat.com
Thu Jul 25 13:39:59 UTC 2013
On Thursday 25 of July 2013 09:30:22 Jan Cholasta wrote:
> On 25.7.2013 09:11, Petr Spacek wrote:
> > On 25.7.2013 09:03, Alexander Bokovoy wrote:
> >> On Thu, 25 Jul 2013, Petr Spacek wrote:
> >>> On 24.7.2013 22:18, Tomas Babej wrote:
> >>>> Hi,
> >>>>
> >>>> When converting the result obtained by python-ldap library,
> >>>> we need to skip unresolved referral entries, since they cannot
> >>>> be converted.
> >>>>
> >>>> https://fedorahosted.org/freeipa/ticket/3814
> >>>
> >>> I'm not sure if a simple 'skip it' approach is the right one.
> >>> Shouldn't it
> >>> print/log a warning at least? Do you know all implications? Are you sure
> >>> that this will not break something else silently?
> >>>
> >>> (BTW isn't the right approach to fix python-ldap? Or is it a quirk in
> >>> AD?)
> >> AD DC often answers with proper result and then several referrals to
> >> other internal resources to complement the search if you are asking for
> >> wide-open search (default). We are not interested in these referrals for
> >> various reasons, including the fact that we are looking at the
> >> authoritative DC and it has all the needed info.
> >>
> >> At best, we could define an option that forces us doing referral chasing
> >> to fetch remaining results but this is not something really needed right
> >> now.
> >
> > I understand that we don't need referrals now, but the question is
> > 'Could it break something? Silently? In the future?'.
> >
> > E.g. the option 'follow referrals' (defaulting to False) is IMHO much
> > much better.
> >
> > The point is that we don't need to implement referral chasing right now,
> > just thrown an exception if somebody tries to switch 'follow referrals'
> > option to True. IMHO this will prevent surprises in the future, because
> > it is absolutely clear that referrals are not followed.
> >
>
> IMO a comment is good enough. I don't think adding options that aren't
> used anywhere is a good thing to do.
>
> Honza
>
> --
> Jan Cholasta
I considered adding an options for that, but decided against it in the end
since it would have to bubble down through many layers, while, as Honza says,
not being used anywhere.
To make sure that this change does not cause problems, I think we agree to
scream at DEBUG level to the log if the referral entry is ignored, and
at WARNING level if the referral resolution is turned on in underlying library
on the connection level.
Tomas
More information about the Freeipa-devel
mailing list