If a staging user is created with the same UID as an existing user, the existing user will essentially be locked out as long as the staging user exists.
As stated in #5186 there is no check for uniqueness by design which makes this very problematic.
To verify (checked on demo instance with IPA 4.4.2 and on 4.2.0):
This could be worked around in KDB driver. We could add filter like this
(&(!(cn:dn:=provisioning))(... original filter ...))
to prevent KDB from finding staged entries.
The problem of this approach is that all callers doing LDAP searches need to use this filter. I doubt that there is a better way because KDB is bound as Directory Manager, so no ACI magic could help.
Having created two active users tb1 and tb2 - and two stage users tb1 and tb2
Authentication retrieves the two (stage/active) users
[07/Nov/2016:17:31:49.252404147 +0100] conn=105 op=3 SRCH base="<suffix>" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=tb1@<domain>)(krbPrincipalName=tb2@<domain>)))" attrs="distinguishedName" [07/Nov/2016:17:31:49.256221869 +0100] conn=105 op=3 RESULT err=0 tag=101 nentries=2 etime=0
An other possibility is to add the nsaccountlock test
ldapsearch -LLL -Y GSSAPI -b "<suffix>" "(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(!(nsaccountlock=True))(krbPrincipalName=tb1@<realm>))" dn dn: uid=tb1,cn=users,cn=accounts,<suffix> ldapsearch -LLL -Y GSSAPI -b "<suffix>" "(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(!(nsaccountlock=True))(krbPrincipalName=tb2@<domain>))" dn dn: uid=tb2,cn=users,cn=accounts,<suffix> ldapsearch -LLL -Y GSSAPI -b "dc=<suffix>" "(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(!(nsaccountlock=True))(|(ipaKrbPrincipalAlias=tb1@<domain>)(krbPrincipalName=tb1@<domain>)))" dn dn: uid=tb1,cn=users,cn=accounts,<suffix> ldapsearch -LLL -Y GSSAPI -b "dc=<suffix>" "(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(!(nsaccountlock=True))(|(ipaKrbPrincipalAlias=tb2@<domain>)(krbPrincipalName=tb2@<domain>)))" dn dn: uid=tb2,cn=users,cn=accounts,<suffix>
Metadata Update from @neffs: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Login to comment on this ticket.