Support Active Directory Forest searches#91
Conversation
| :ignore_server_caps => true, | ||
| :base => "", | ||
| :scope => Net::LDAP::SearchScope_BaseObject) | ||
| (rs and rs.first) || Net::LDAP::Entry.new |
There was a problem hiding this comment.
Return an empty Entry if rs doesn't contain any.
3dfdea2 to
efcf915
Compare
| @forest_search = GitHub::Ldap::ForestSearch.new(@connection, "naming") | ||
| end | ||
|
|
||
| def test_search |
| domains.each_with_object({}) do |server, result| | ||
| if server[:ncname].any? && server[:dnsroot].any? | ||
| result[server[:ncname].first] = Net::LDAP.new({ | ||
| host: server[:dnsroot].first, |
There was a problem hiding this comment.
Note that since all of the forest domain controllers' connections are being initialized with server[:dnsroot] (which will be something like "ad.ghe.com") this assumes the GHE instance can resolve the DNS for each domain controller in the forest. DNS will likely be owned by internal ActiveDirectory DNS in this case.
ForestSearch won't work if the GHE is set up with a static IP for the AD instance, and doesn't have the shared DNS nameserver in its resolve.conf.
|
@gnawhleinad @jch @mtodd My apologies if this has been addressed elsewhere, but wouldn't referrals would be the preferred way of handling this, rather than iterating through domain controllers? https://technet.microsoft.com/en-us/library/cc978014.aspx And if so, is there a reason we're not working to implement this PR instead?: /cc https://github.com/github/customer-feedback/issues/519 |
| # | ||
| def search(options, &block) | ||
| instrument "forest_search.github_ldap" do | ||
| if forest.empty? |
There was a problem hiding this comment.
This conditional & block should probably be removed. I don't think forest.empty? can ever be true, since every Active Directory has a forest as the top-level container by definition, even if it only has one Domain Controller. This has been the case in local testing with our AD vagrant instance with a single domain. If the forest is empty, something else has gone wrong.
|
This in on hold, and will likely be replaced by #94. |
Creating a new PR to continue the work started by @timmjd on #89. We can move forward on this with an internal branch instead of an external fork.
TODO:
/cc @gnawhleinad @mtodd @jch
/cc @jatoben @lildude for thoughts as well since you were involved in the original discussion