Re: [SSSD-users] reading rootDSE (was: ldap_sasl_mech EXTERNAL and SSL client authc)

Stephen Gallagher wrote: > On Mon, 2015-03-16 at 10:33 +0100, Michael Ströder wrote: >> BTW: I consider it to be a bug that sssd tries to read the rootDSE >> before binding. > > Why do you consider this a bug? The RootDSE contains information to > allow SSSD to learn what mechanisms it's allowed to use when binding. > That's one of its primary purposes. > > That said, if we can't reach it, we just guess, connect and then > reread the rootDSE after binding. Ouch! A client MUST NOT assume that anything security relevant is really true when reading the rootDSE. The client has to obey its configuration. Period.