On Friday 26 of July 2013 12:16:42 Jan Cholasta wrote:
> On 26.7.2013 11:29, Tomas Babej wrote:
> > After some investigation I decided the correct approach here is to
> > scream at the debug level only, when referral is being ignored.
> >
> > We cannot guide ourselves by the ldap.OPT_REFFERALS option of the underlying
> > connection simply because even if referral chasing is turned on (and
> > therefore
> > we should not get any referrals from python-ldap, since they should have
> > been
> > resolved), queries for AD can return referrals (AD returns them often as a
> > way to
> > provide additional information AFAIU). This can also happen if we are not
> > able
> > to authenticate to the referred server, or resolve the LDAP uri.
> >
> > In case ignoring referrals ever breaks something, we can find the
> > information
> > in the log at the debug level. Doing otherwise would be unnecessarily
> > spamming
> > the log now.
> >
> > Updated patch attached.
>
> Nitpick: I would prefer a shorter message without unnecessary
> implementation details - something like "Ignoring referral entry {ref}".
> Also use str(original_attrs) as ref.
>
> Honza
>
> --
> Jan Cholasta
Agreed, fixed.
Tomas
>From a63fe68030ecb343aeb075967485557cc0075a4b Mon Sep 17 00:00:00 2001
From: Tomas Babej <[email protected]>
Date: Wed, 24 Jul 2013 21:59:49 +0200
Subject: [PATCH] Skip referrals when converting LDAP result to LDAPEntry
When converting the result obtained by python-ldap library,
we need to skip unresolved referral entries, since they cannot
be converted.
https://fedorahosted.org/freeipa/ticket/3814
---
ipapython/ipaldap.py | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 6873511c44427edc4a7e573bb04da00732a63028..6e661d6c86d5166fae494fa599ac929988035edc 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -425,6 +425,15 @@ class IPASimpleLDAPObject(object):
original_dn = dn_tuple[0]
original_attrs = dn_tuple[1]
+ # original_dn is None if referral instead of an entry was
+ # returned from the LDAP server, we need to skip this item
+ if original_dn is None:
+ log_msg = 'Referral entry ignored: {ref}'\
+ .format(ref=str(original_attrs))
+ self.log.debug(log_msg)
+
+ continue
+
ipa_entry = LDAPEntry(self, DN(original_dn))
for attr, original_values in original_attrs.items():
--
1.8.3.1
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
