When DRO is set, I can search for an AD user in the compat tree with both uid=user@domain and uid=user. However, the resulting user object will differ depending on which way I used to search for it.
uid=user@domain
uid=user
ipa.addomain.com:addomain.com
jsmith
(using idoverrideuser-mod here to clear the existing user object from the compat tree)
idoverrideuser-mod
Searching for (uid=jsmith@addomain.com) first
(uid=jsmith@addomain.com)
[root@ipaserver ~]# ipa idoverrideuser-mod "Default Trust View" jsmith@addomain.com --desc TEST1 ------------------------------------------------------ Modified an User ID override "jsmith@addomain.com" ------------------------------------------------------ Anchor to override: jsmith@addomain.com Description: TEST1 UID: 12345 Home directory: /home/jsmith Login shell: /bin/bash [root@ipaserver ~]# ldapsearch -LLL -Y GSSAPI -b 'cn=compat,dc=ipa,dc=addomain,dc=com' '(uid=jsmith@addomain.com)' uid 2>/dev/null dn: uid=jsmith@addomain.com,cn=users,cn=compat,dc=ipa,dc=addomain,dc=com uid: jsmith@addomain.com [root@ipaserver ~]# ldapsearch -LLL -Y GSSAPI -b 'cn=compat,dc=ipa,dc=addomain,dc=com' '(uid=jsmith)' uid 2>/dev/null
Searching for (uid=jsmith) first
(uid=jsmith)
[root@ipaserver ~]# ipa idoverrideuser-mod "Default Trust View" jsmith@addomain.com --desc TEST2 ------------------------------------------------------ Modified an User ID override "jsmith@addomain.com" ------------------------------------------------------ Anchor to override: jsmith@addomain.com Description: TEST2 UID: 12345 Home directory: /home/jsmith Login shell: /bin/bash [root@ipaserver ~]# ldapsearch -LLL -Y GSSAPI -b 'cn=compat,dc=ipa,dc=addomain,dc=com' '(uid=jsmith)' uid 2>/dev/null dn: uid=jsmith,cn=users,cn=compat,dc=ipa,dc=addomain,dc=com uid: jsmith@addomain.com uid: jsmith [root@ipaserver ~]# ldapsearch -LLL -Y GSSAPI -b 'cn=compat,dc=ipa,dc=addomain,dc=com' '(uid=jsmith@addomain.com)' uid 2>/dev/null dn: uid=jsmith,cn=users,cn=compat,dc=ipa,dc=addomain,dc=com uid: jsmith@addomain.com uid: jsmith
compat user object will have 2 uid values and a different RDN when searched for with (uid=username)
(uid=username)
compat user object is the same regardless of how its searched for it
# cat /etc/redhat-release CentOS Linux release 7.5.1804 (Core # rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.5.4-10.el7.centos.3.x86_64 ipa-client-4.5.4-10.el7.centos.3.x86_64 389-ds-base-1.3.7.5-25.el7_5.x86_64 pki-ca-10.5.1-14.el7_5.noarch krb5-server-1.15.1-19.el7.x86_64
I cannot replicate this on 4.6.4, so possibly fixed?
Hello
I am able to replicate this recently, it is causing some headaches with integration where the cross-protocol mapping for our storage looks up simply on the expected login-name, so it would be lovely if fixed. That said, I'm very happy to find that's there's a way past it as I thought this was insolveable!!! :-)
ldapsearch -LLL -Y GSSAPI -b 'cn=compat,dc=<domain>' '(uid=qu_xpp@<domain>)' uid 2>/dev/null dn: uid=qu_xpp@<domain>,cn=users,cn=compat,dc=<domain> uid: qu_xpp@<domain> ldapsearch -LLL -Y GSSAPI -b 'cn=compat,dc=ipa,dc=<domain>' '(uid=qu_xpp)' uid 2>/dev/null # Nothing ipa idoverrideuser-mod "Default Trust View" qu_xpp@<domain> --desc "Another test perhaps" ------------------------------------------------------ Modified an User ID override "qu_xpp@<domain>" ------------------------------------------------------ Anchor to override: qu_xpp@<domain> Description: Another test perhaps User login: qu_xpp ... ldapsearch -LLL -Y GSSAPI -b 'cn=compat,dc=ipa,dc=<domain>' '(uid=qu_xpp)' uid 2>/dev/null dn: uid=qu_xpp,cn=users,cn=compat,dc=ipa,dc=<domain> uid: qu_xpp@<domain> uid: qu_xpp cat /etc/redhat-release CentOS Linux release 7.8.2003 (Core) rpm -q ipa-server ipa-client 389-ds-base pki-ca krb5-server slapi-nis ipa-server-4.6.6-11.el7.centos.x86_64 ipa-client-4.6.6-11.el7.centos.x86_64 389-ds-base-1.3.10.1-14.el7_8.x86_64 pki-ca-10.5.17-6.el7.noarch krb5-server-1.15.1-46.el7.x86_64 slapi-nis-0.56.0-13.el7.x86_64
Please do let me know if there's anything you'd like me to investigate/test/POC.
Log in to comment on this ticket.