Skip to content

adding sssd ldap_provider() to optionally ad or ipa to use ldap #228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
alexey-tikhonov merged 1 commit into from
Feb 6, 2026
Merged

adding sssd ldap_provider() to optionally ad or ipa to use ldap #228

alexey-tikhonov merged 1 commit into from
Feb 6, 2026

Conversation

@danlavu
Copy link
Contributor

@danlavu danlavu commented Jan 23, 2026

No description provided.

@gemini-code-assist
Copy link

gemini-code-assist bot commented Jan 23, 2026

Summary of Changes

Hello @danlavu, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the SSSD test framework by adding a dedicated method to configure SSSD for LDAP provider usage, expanding its testing capabilities beyond existing IPA and Active Directory setups. Concurrently, it refines the codebase with several minor but impactful style improvements, such as modernizing Python's tuple unpacking and streamlining multiline string definitions, contributing to overall code clarity and maintainability.

Highlights

  • New SSSD LDAP Provider Configuration: A new ldap_provider method has been introduced in the SSSD utility, allowing for flexible configuration of SSSD to use an LDAP backend for identity and authentication management, including support for sub-ID ranges.
  • Python Syntax Modernization: Tuple unpacking syntax has been updated across multiple files, changing (a, b) = c to a, b = c for improved readability and adherence to modern Python style.
  • Multiline String Formatting Refinement: Multiline string command executions and configurations have been refactored to remove redundant parentheses, making the code cleaner and more concise.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 23, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new ldap_provider method for SSSD configuration and includes numerous stylistic cleanups across the codebase, such as removing unnecessary parentheses and standardizing multiline string formats. My review focuses on the new functionality and a related area with an existing issue. I've identified an opportunity to improve the efficiency of the new ldap_provider method by reducing redundant operations. Additionally, I've found a potential bug in the policy method in ad.py where configuration could be unintentionally overwritten. The suggested changes aim to fix this bug and enhance the code's robustness and performance.

@danlavu danlavu changed the title Ipa ldap config ldap config for ipa/ad providers and tox fixes. Jan 23, 2026
@danlavu danlavu changed the title ldap config for ipa/ad providers and tox fixes. adding sssd ldap_provider() to optionally ad or ipa to use ldap Jan 23, 2026
@danlavu
Copy link
Contributor Author

danlavu commented Jan 23, 2026

Tox is throwing some syntax errors, too many files are touched so I split up the PRs into two.

The tox fixes are in #229. After this is merged, tox will be green.

@danlavu danlavu force-pushed the ipa-ldap-config branch 2 times, most recently from 149b7b7 to 20c6cdf Compare January 26, 2026 23:07
@danlavu
Copy link
Contributor Author

danlavu commented Jan 26, 2026

Checking the configuration file fails the test with the following: I'm not quite sure why yet.

E           [rule/allowed_domain_options]: Attribute 'ldap_subuid_object_class' is not allowed in section 'domain/test'. Check for typos.
E           [rule/allowed_domain_options]: Attribute 'ldap_subuid_count' is not allowed in section 'domain/test'. Check for typos.
E           [rule/allowed_domain_options]: Attribute 'ldap_subgid_count' is not allowed in section 'domain/test'. Check for typos.
E           [rule/allowed_domain_options]: Attribute 'ldap_subuid_number' is not allowed in section 'domain/test'. Check for typos.
E           [rule/allowed_domain_options]: Attribute 'ldap_subgid_number' is not allowed in section 'domain/test'. Check for typos.
E           [rule/allowed_domain_options]: Attribute 'ldap_subid_range_owner' is not allowed in section 'domain/test'. Check for typos.
E

@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Jan 27, 2026

Checking the configuration file fails the test with the following: I'm not quite sure why yet.

It's a bug: SSSD/sssd#8403

alexey-tikhonov
alexey-tikhonov reviewed Jan 27, 2026
View reviewed changes
alexey-tikhonov
alexey-tikhonov reviewed Jan 27, 2026
View reviewed changes
jakub-vavra-cz
jakub-vavra-cz reviewed Jan 27, 2026
View reviewed changes
@jakub-vavra-cz
Copy link
Contributor

jakub-vavra-cz commented Jan 29, 2026

Please add a way to enter any additional configuration so other config can be done like:
ldap_schema, ldap_referrals, ldap_id_mapping, ldap_purge_cache_timeout, ldap_user_extra_attrs, ....

I would probably try make sure that the parameters can be set to "" and skipped to be able to connect to ldap also without ssl/tls.

@danlavu
Copy link
Contributor Author

danlavu commented Jan 29, 2026

@jakub-vavra-cz

I don't think we should. Let's keep this simple and specific. If we need more configuration, we should just use the ldap provider. We do not have that many test cases that use this configuration against AD and IPA, and if we do, it's for basic functionality testing.

I wrote this because it was much faster than adding subids to the LDAP and generic role, but the client needs to be configured with id_provider = ldap.

@jakub-vavra-cz jakub-vavra-cz mentioned this pull request Jan 30, 2026
Merged
@jakub-vavra-cz
Copy link
Contributor

jakub-vavra-cz commented Jan 30, 2026
edited
Loading

@jakub-vavra-cz

I don't think we should. Let's keep this simple and specific. If we need more configuration, we should just use the ldap provider. We do not have that many test cases that use this configuration against AD and IPA, and if we do, it's for basic functionality testing.

I wrote this because it was much faster than adding subids to the LDAP and generic role, but the client needs to be configured with id_provider = ldap.

My suggestion was based on current multihost tests. We do have tests that are using 'id_provider': 'ldap' with other config options like ldap_sasl_mech, ldap_schema so either make it generic enough to be usable for porting of these tests or put the code in a specific test that needs this.

@danlavu
Copy link
Contributor Author

danlavu commented Feb 6, 2026

Please add a way to enter any additional configuration so other config can be done like: ldap_schema, ldap_referrals, ldap_id_mapping, ldap_purge_cache_timeout, ldap_user_extra_attrs, ....

Pass in dict[str, str] good enough?

jakub-vavra-cz
jakub-vavra-cz approved these changes Feb 6, 2026
View reviewed changes
Copy link
Contributor

@jakub-vavra-cz jakub-vavra-cz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great. Thanks.

@alexey-tikhonov alexey-tikhonov merged commit f78b152 into SSSD:master Feb 6, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexey-tikhonov alexey-tikhonov alexey-tikhonov approved these changes

@jakub-vavra-cz jakub-vavra-cz jakub-vavra-cz approved these changes

@pbrezina pbrezina Awaiting requested review from pbrezina

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@jakub-vavra-cz jakub-vavra-cz

Labels

Waiting for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@danlavu @alexey-tikhonov @jakub-vavra-cz @pbrezina