SSSD · justin-stephenson · Oct 21, 2025 · Dec 17, 2025 · Dec 18, 2025 · Jan 14, 2026
diff --git a/.github/workflows/analyze-target.yml b/.github/workflows/analyze-target.yml
@@ -1,7 +1,7 @@
 name: "Analyze (target)"
 on:
   pull_request_target:
-    branches: [master]
+    branches: [master, failover]
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,9 +1,9 @@
 name: "ci"
 on:
   push:
-    branches: [master]
+    branches: [master, failover]
   pull_request:
-    branches: [master]
+    branches: [master, failover]
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -311,6 +311,8 @@ jobs:
           --polarion-config=../polarion.yaml \
           --output-polarion-testcase=$GITHUB_WORKSPACE/artifacts/testcase.xml \
           ${{ steps.select-tests.outputs.SELECT_TESTS }} \
+          -k "not test_logging__offline_errors_are_written_to_logs_and_syslog and not test_failover and not test_logging__dns_resolution_issue_in_logs and not test_ad__user_authentication_when_provider_is_set_to_ldap_with_gss_spnego and not test_multithreaded_pac_client and not test_autofs__propagate_offline_status and not test_failover__ and not test_ipa__subids_configured" \
+          --mh-topology=ipa \
           --collect-only . |& tee $GITHUB_WORKSPACE/pytest-collect.log
 
     - name: Run tests
@@ -331,6 +333,8 @@ jobs:
           --output-polarion-testcase=$GITHUB_WORKSPACE/artifacts/testcase.xml \
           --output-polarion-testrun=$GITHUB_WORKSPACE/artifacts/testrun.xml \
           ${{ steps.select-tests.outputs.SELECT_TESTS }} \
+          -k "not test_logging__offline_errors_are_written_to_logs_and_syslog and not test_failover and not test_logging__dns_resolution_issue_in_logs and not test_ad__user_authentication_when_provider_is_set_to_ldap_with_gss_spnego and not test_multithreaded_pac_client and not test_autofs__propagate_offline_status and not test_failover__ and not test_ipa__subids_configured" \
+          --mh-topology=ipa \
           -vvv . |& tee $GITHUB_WORKSPACE/pytest.log
 
     - name: Upload artifacts

diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
@@ -10,6 +10,7 @@ on:
   pull_request_target:
     branches:
       - master
+      - failover
     types:
       - labeled
   workflow_dispatch:

diff --git a/.github/workflows/static-code-analysis.yml b/.github/workflows/static-code-analysis.yml
@@ -1,9 +1,9 @@
 name: "Static code analysis"
 on:
   push:
-    branches: [master]
+    branches: [master, failover]
   pull_request:
-    branches: [master]
+    branches: [master, failover]
   schedule:
     # Everyday at midnight
     - cron: '0 0 * * *'
@@ -28,6 +28,8 @@ jobs:
       with:
         languages: cpp, python
         queries: +security-and-quality
+        paths-ignore: |
+          src/providers/minimal/**
 
     - name: Configure sssd
       uses: ./.github/actions/configure

diff --git a/Makefile.am b/Makefile.am
@@ -301,6 +301,7 @@ if HAVE_CMOCKA
         test_sbus_message \
         test_sbus_opath \
         test_fo_srv \
+        test_failover_server \
         pam-srv-tests \
         ssh-srv-tests \
         test_ipa_subdom_util \
@@ -658,6 +659,24 @@ SSSD_FAILOVER_OBJ = \
     src/providers/fail_over_srv.c \
     $(SSSD_RESOLV_OBJ)
 
+# Make sure to build new failover code to test compilation even though it is
+# not used anywhere yet.
+SSSD_NEW_FAILOVER_OBJ = \
+    src/providers/failover/failover.c \
+    src/providers/failover/failover_callback.c \
+    src/providers/failover/failover_refresh_candidates.c \
+    src/providers/failover/failover_group.c \
+    src/providers/failover/failover_server_resolve.c \
+    src/providers/failover/failover_server.c \
+    src/providers/failover/failover_srv.c \
+    src/providers/failover/failover_transaction.c \
+    src/providers/failover/failover_vtable_op.c \
+    src/providers/failover/failover_vtable.c \
+    src/providers/failover/ldap/failover_ldap_connect.c \
+    src/providers/failover/ldap/failover_ldap_kinit.c \
+    $(SSSD_RESOLV_OBJ) \
+    $(NULL)
+
 SSSD_LIBS = \
     $(TALLOC_LIBS) \
     $(TEVENT_LIBS) \
@@ -850,6 +869,16 @@ dist_noinst_HEADERS = \
     src/providers/be_refresh.h \
     src/providers/fail_over.h \
     src/providers/fail_over_srv.h \
+    src/providers/failover/failover.h \
+    src/providers/failover/failover_group.h \
+    src/providers/failover/failover_refresh_candidates.h \
+    src/providers/failover/failover_server.h \
+    src/providers/failover/failover_server_resolve.h \
+    src/providers/failover/failover_srv.h \
+    src/providers/failover/failover_transaction.h \
+    src/providers/failover/failover_vtable.h \
+    src/providers/failover/failover_vtable_op.h \
+    src/providers/failover/ldap/failover_ldap.h \
     src/util/child_common.h \
     src/util/child_bootstrap.h \
     src/providers/simple/simple_access.h \
@@ -869,7 +898,6 @@ dist_noinst_HEADERS = \
     src/providers/ldap/sdap_sudo.h \
     src/providers/ldap/sdap_sudo_shared.h \
     src/providers/ldap/sdap_autofs.h \
-    src/providers/ldap/sdap_id_op.h \
     src/providers/ldap/ldap_opts.h \
     src/providers/ldap/ldap_auth.h \
     src/providers/ldap/sdap_range.h \
@@ -3510,6 +3538,24 @@ test_fo_srv_LDADD = \
     libsss_test_common.la \
     $(NULL)
 
+test_failover_server_SOURCES = \
+    src/tests/cmocka/test_failover_server.c \
+    src/providers/failover/failover_server.c \
+    $(SSSD_RESOLV_TESTS_OBJ) \
+    $(NULL)
+test_failover_server_CFLAGS = \
+    $(AM_CFLAGS) \
+    $(CMOCKA_CFLAGS) \
+    $(NULL)
+test_failover_server_LDADD = \
+    $(CARES_LIBS) \
+    $(CMOCKA_LIBS) \
+    $(POPT_LIBS) \
+    $(SSSD_INTERNAL_LTLIBS) \
+    $(TALLOC_LIBS) \
+    libsss_test_common.la \
+    $(NULL)
+
 test_sdap_initgr_SOURCES = \
     src/tests/cmocka/common_mock_sdap.c \
     src/tests/cmocka/common_mock_sysdb_objects.c \
@@ -4352,12 +4398,10 @@ libsss_ldap_common_la_SOURCES = \
     src/providers/ldap/sdap_async_services.c \
     src/providers/ldap/sdap_async_iphost.c \
     src/providers/ldap/sdap_async_ipnetwork.c \
-    src/providers/ldap/sdap_online_check.c \
     src/providers/ldap/sdap_ad_groups.c \
     src/providers/ldap/sdap_child_helpers.c \
     src/providers/ldap/sdap_fd_events.c \
     src/providers/ldap/sdap_hostid.h \
-    src/providers/ldap/sdap_id_op.c \
     src/providers/ldap/sdap_certmap.c \
     src/providers/ldap/sdap_idmap.c \
     src/providers/ldap/sdap_idmap.h \
@@ -4374,6 +4418,7 @@ libsss_ldap_common_la_SOURCES = \
     src/util/sss_sockets.c \
     src/util/sss_ldap.c \
     src/util/cert_derb64_to_ldap_filter.c \
+    $(SSSD_NEW_FAILOVER_OBJ) \
     $(NULL)
 libsss_ldap_common_la_CFLAGS = \
     $(AM_CFLAGS) \
@@ -4453,7 +4498,8 @@ libsss_krb5_common_la_LDFLAGS = \
 
 libsss_ldap_la_SOURCES = \
     src/providers/ldap/ldap_init.c \
-    src/providers/ldap/ldap_access.c
+    src/providers/ldap/ldap_access.c \
+    $(SSSD_NEW_FAILOVER_OBJ)
 libsss_ldap_la_CFLAGS = \
     $(AM_CFLAGS) \
     $(OPENLDAP_CFLAGS)
@@ -4582,6 +4628,7 @@ libsss_ipa_la_SOURCES = \
     src/providers/ad/ad_srv.c \
     src/providers/ad/ad_domain_info.c \
     src/providers/ad/ad_cldap_ping.c \
+    $(SSSD_NEW_FAILOVER_OBJ) \
     $(NULL)
 libsss_ipa_la_CFLAGS = \
     $(AM_CFLAGS) \
@@ -4647,6 +4694,7 @@ libsss_ad_la_SOURCES = \
     src/providers/ad/ad_refresh.c \
     src/providers/ad/ad_resolver.c \
     src/providers/ad/ad_cldap_ping.c \
+    $(SSSD_NEW_FAILOVER_OBJ) \
     $(NULL)
 
 

diff --git a/minimal-provider-notes.txt b/minimal-provider-notes.txt
@@ -0,0 +1,88 @@
+# Minimal SSSD provider
+
+This is used as a proof of concept for the new failover implementation. It can
+also be used to see what changes are required in order to switch to the new
+code, however it really does only minimum amount of changes to get it working.
+It would be very good to provide more thorough refactoring in the real
+providers.
+
+The minimal provider supports:
+- services lookup (getent services)
+- user authentication
+
+## Populate LDAP
+
+```
+$ vim objects.ldif
+dn: ou=users,dc=ldap,dc=test
+objectClass: top
+objectClass: organizationalUnit
+ou: users
+
+# Password is Secret123
+dn: cn=user-1,ou=users,dc=ldap,dc=test
+uid: user-1
+uidNumber: 10000
+homeDirectory: /home/user-1
+gidNumber: 100000
+cn: user-1
+objectClass: posixAccount
+objectClass: top
+userPassword:: e1BCS0RGMi1TSEE1MTJ9MTAwMDAwJEVZU2lqOFgxTTVFZUIrMXlHQzdvZkhwZzd
+ XZXpYRGJwJG0vTVUyMUIrTGNNb2tkRVcvUFJ6YWlhc21zdlNDeVJWdGxPU3c3c05YbHk2NUxBcUcz
+ ODJqQUJWUEp2N1ZnOUtRdXhEamVlbmxEV3V5Ylg5UFdKMW5nPT0=
+
+dn: ou=services,dc=ldap,dc=test
+objectClass: top
+objectClass: organizationalUnit
+ou: services
+
+dn: cn=service0,ou=services,dc=ldap,dc=test
+objectClass: ipService
+cn: service0
+ipServiceProtocol: tcp
+ipServicePort: 12345
+
+$ ldapadd -D "cn=Directory Manager" -w Secret123 -H ldap://master.ldap.test -f objects.ldif -vv
+```
+
+## Verify LDAP contents
+
+```
+$ ldapsearch -D "cn=Directory Manager" -w Secret123 -H ldap://master.ldap.test -b dc=ldap,dc=test
+```
+
+## Configure SSSD for services lookup
+
+```
+[sssd]
+domains = minimal
+
+[domain/minimal]
+debug_level = 9
+id_provider = minimal
+
+$ getent services -s sss service0
+service0              12345/tcp
+```
+
+## Configure SSSD for user authentication
+
+Note: user lookup is done by id provider
+
+```
+[sssd]
+services = nss, pam
+domains = minimal
+
+[domain/minimal]
+debug_level = 9
+id_provider = ldap
+auth_provider = minimal
+ldap_uri = _srv_
+dns_discovery_domain = ldap.test
+ldap_tls_reqcert = never
+
+$ su user-1
+Password: Secret123
+```