When SSSD resolves AD users on behalf of slapi-nis, it can accept any user identifier, including user principal name (UPN) which may be different than the canonical user name which SSSD returns.
As result, the entry created by slapi-nis will be using canonical user name but the filter for search will refer to the original (aliased) name. The search will not match the newly created entry.
The issue can be fixed by returning two values for 'uid' attribute: the canonical one and the aliased one. This way the search will match. This is what ticket https://fedorahosted.org/slapi-nis/ticket/12 will do on slapi-nis side.
On FreeIPA side an update is needed to cn=users,cn=compat,$suffix definition to allow multiple 'uid' values because RDN generation function expects a single value of 'uid' attribute.
A change is to add explicit 'uid' attribute generation and change rdn processing to use %first() function:
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config cn: users objectClass: top objectClass: extensibleObject schema-compat-container-group: cn=compat, dc=ipa,dc=ad,dc=test schema-compat-container-rdn: cn=users schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") schema-compat-entry-attribute: cn=%{cn} schema-compat-entry-attribute: objectclass=posixAccount schema-compat-entry-attribute: gidNumber=%{gidNumber} schema-compat-entry-attribute: gecos=%{cn} schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:ipa.ad.test:%{ipauniqueid}","") schema-compat-entry-attribute: uidNumber=%{uidNumber} schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") schema-compat-entry-attribute: loginShell=%{loginShell} schema-compat-entry-attribute: homeDirectory=%{homeDirectory} schema-compat-entry-attribute: uid=%{uid} schema-compat-entry-rdn: uid=%first("%{uid}") schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config schema-compat-restrict-subtree: $SUFFIX schema-compat-search-base: cn=users, cn=accounts, $SUFFIX schema-compat-search-filter: objectclass=posixAccount schema-compat-lookup-nsswitch: user
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1361119
Assigning to ab as discussed on meeting today.
master:
Metadata Update from @abbra: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 4.4.1
Login to comment on this ticket.