sdap: add naming_context as new member of struct sdap_domain

The naming_context could be a more reliable source than basedn for the actual base DN because basedn is set very early from the domain name given in sssd.conf. Although it is recommended to use the fully qualified DNS domain name here it is not required. As a result basedn might not reflect the actual based DN of the LDAP server. Also pure LDAP server (i.e. not AD or FreeIPA) might use different schemes to set the base DN which will not be based on the DNS domain of the LDAP server. Resolves: #5708
SSSD · Jan 25, 2024 · 2352d02 · 2352d02
1 parent b028977
commit 2352d02
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 3 deletions.
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
@@ -2185,8 +2185,10 @@ ad_gpo_connect_done(struct tevent_req *subreq)
         goto done;
     }
 
-    ret = common_parse_search_base(state, sdom->basedn, state->ldb_ctx,
-                                   "AD_HOSTS", NULL, &search_bases);
+    ret = common_parse_search_base(state,
+                            sdom->naming_context == NULL ? sdom->basedn
+                                                         : sdom->naming_context,
+                            state->ldb_ctx, "AD_HOSTS", NULL, &search_bases);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE,
               "Failed to create dedicated search base for host lookups, "

diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
@@ -1254,7 +1254,8 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
     int ret;
     char *naming_context = NULL;
 
-    if (!sdom->search_bases
+    if (!sdom->naming_context
+            || !sdom->search_bases
             || !sdom->user_search_bases
             || !sdom->group_search_bases
             || !sdom->netgroup_search_bases
@@ -1276,6 +1277,15 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
         }
     }
 
+    if (!sdom->naming_context) {
+        sdom->naming_context = talloc_strdup(sdom, naming_context);
+        if (sdom->naming_context == NULL) {
+            DEBUG(SSSDBG_IMPORTANT_INFO,
+                  "Failed to copy naming context (base DN) [%s], "
+                  "will continue with unset value.\n", naming_context);
+        }
+    }
+
     /* Default */
     if (!sdom->search_bases) {
         ret = sdap_set_search_base(opts, sdom,

diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
@@ -455,6 +455,17 @@ struct sdap_domain {
 
     char *basedn;
 
+    /* The naming_context could be a more reliable source than basedn for the
+     * actual base DN because basedn is set very early from the domain name
+     * given in sssd.conf. Although it is recommended to use the fully
+     * qualified DNS domain name here it is not required. As a result basedn
+     * might not reflect the actual based DN of the LDAP server. Also pure
+     * LDAP server (i.e. not AD or FreeIPA) might use different schemes to set
+     * the base DN which will not be based on the DNS domain of the LDAP
+     * server. naming_context might be NULL even after connection to an LDAP
+     * server. */
+    char *naming_context;
+
     struct sdap_search_base **search_bases;
     struct sdap_search_base **user_search_bases;
     struct sdap_search_base **group_search_bases;