Issue #6138: UPN-based search for AD users does not match an entry in slapi-nis map cache - freeipa

freeipa

#6138 UPN-based search for AD users does not match an entry in slapi-nis map cache

Closed: Fixed None Opened 7 years ago by abbra.

When SSSD resolves AD users on behalf of slapi-nis, it can accept any user identifier, including user principal name (UPN) which may be different than the canonical user name which SSSD returns.

As result, the entry created by slapi-nis will be using canonical user name but the filter for search will refer to the original (aliased) name. The search will not match the newly created entry.

The issue can be fixed by returning two values for 'uid' attribute: the canonical one and the aliased one. This way the search will match. This is what ticket https://fedorahosted.org/slapi-nis/ticket/12 will do on slapi-nis side.

On FreeIPA side an update is needed to cn=users,cn=compat,$suffix definition to allow multiple 'uid' values because RDN generation function expects a single value of 'uid' attribute.

A change is to add explicit 'uid' attribute generation and change rdn processing to use %first() function:

dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
cn: users
objectClass: top
objectClass: extensibleObject
schema-compat-container-group: cn=compat, dc=ipa,dc=ad,dc=test
schema-compat-container-rdn: cn=users
schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
schema-compat-entry-attribute: cn=%{cn}
schema-compat-entry-attribute: objectclass=posixAccount
schema-compat-entry-attribute: gidNumber=%{gidNumber}
schema-compat-entry-attribute: gecos=%{cn}
schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:ipa.ad.test:%{ipauniqueid}","")
schema-compat-entry-attribute: uidNumber=%{uidNumber}
schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
schema-compat-entry-attribute: loginShell=%{loginShell}
schema-compat-entry-attribute: homeDirectory=%{homeDirectory}
schema-compat-entry-attribute: uid=%{uid}
schema-compat-entry-rdn: uid=%first("%{uid}")
schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
schema-compat-restrict-subtree: $SUFFIX
schema-compat-search-base: cn=users, cn=accounts, $SUFFIX
schema-compat-search-filter: objectclass=posixAccount
schema-compat-lookup-nsswitch: user

abbra commented 7 years ago

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1361119

pspacek commented 7 years ago

Assigning to ab as discussed on meeting today.

mbasti commented 7 years ago

master:

fab1f79 support multiple uid values in schema compatibility tree

Metadata Update from @abbra:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 4.4.1

7 years ago

Metadata

Assignee

abbra

Tags

None

Blocking

None

Depending on

None

Priority

important

Milestone

FreeIPA 4.4.1

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Compatibility plugin

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1361119

tester

None

changelog

None

design

None

freeipa

Source Code

#6138 UPN-based search for AD users does not match an entry in slapi-nis map cache Closed: Fixed None Opened 7 years ago by abbra.

Metadata

#6138 UPN-based search for AD users does not match an entry in slapi-nis map cache

Closed: Fixed None Opened 7 years ago by abbra.