Issue #7748: Inconsitent compat user objects for AD users when domain resolution order is set - freeipa

freeipa

#7748 Inconsitent compat user objects for AD users when domain resolution order is set

Opened 5 years ago by rgp. Modified 3 years ago

Issue

When DRO is set, I can search for an AD user in the compat tree with both uid=user@domain and uid=user. However, the resulting user object will differ depending on which way I used to search for it.

Steps to Reproduce

Set DRO to ipa.addomain.com:addomain.com, clear sssd cache
Setup an idoverrideuser for AD user. jsmith in this example

(using idoverrideuser-mod here to clear the existing user object from the compat tree)

Searching for (uid=jsmith@addomain.com) first

[root@ipaserver ~]# ipa idoverrideuser-mod "Default Trust View" jsmith@addomain.com --desc TEST1
------------------------------------------------------
Modified an User ID override "jsmith@addomain.com"
------------------------------------------------------
  Anchor to override: jsmith@addomain.com
  Description: TEST1
  UID: 12345
  Home directory: /home/jsmith
  Login shell: /bin/bash
[root@ipaserver ~]# ldapsearch -LLL -Y GSSAPI -b 'cn=compat,dc=ipa,dc=addomain,dc=com' '(uid=jsmith@addomain.com)' uid 2>/dev/null
dn: uid=jsmith@addomain.com,cn=users,cn=compat,dc=ipa,dc=addomain,dc=com
uid: jsmith@addomain.com

[root@ipaserver ~]# ldapsearch -LLL -Y GSSAPI -b 'cn=compat,dc=ipa,dc=addomain,dc=com' '(uid=jsmith)' uid 2>/dev/null

Searching for (uid=jsmith) first

[root@ipaserver ~]# ipa idoverrideuser-mod "Default Trust View" jsmith@addomain.com --desc TEST2
------------------------------------------------------
Modified an User ID override "jsmith@addomain.com"
------------------------------------------------------
  Anchor to override: jsmith@addomain.com
  Description: TEST2
  UID: 12345
  Home directory: /home/jsmith
  Login shell: /bin/bash
[root@ipaserver ~]# ldapsearch -LLL -Y GSSAPI -b 'cn=compat,dc=ipa,dc=addomain,dc=com' '(uid=jsmith)' uid 2>/dev/null
dn: uid=jsmith,cn=users,cn=compat,dc=ipa,dc=addomain,dc=com
uid: jsmith@addomain.com
uid: jsmith

[root@ipaserver ~]# ldapsearch -LLL -Y GSSAPI -b 'cn=compat,dc=ipa,dc=addomain,dc=com' '(uid=jsmith@addomain.com)' uid 2>/dev/null
dn: uid=jsmith,cn=users,cn=compat,dc=ipa,dc=addomain,dc=com
uid: jsmith@addomain.com
uid: jsmith

Actual behavior

compat user object will have 2 uid values and a different RDN when searched for with (uid=username)

Expected behavior

compat user object is the same regardless of how its searched for it

Version/Release/Distribution

# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core
# rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.5.4-10.el7.centos.3.x86_64
ipa-client-4.5.4-10.el7.centos.3.x86_64
389-ds-base-1.3.7.5-25.el7_5.x86_64
pki-ca-10.5.1-14.el7_5.noarch
krb5-server-1.15.1-19.el7.x86_64

rgp commented 5 years ago

I cannot replicate this on 4.6.4, so possibly fixed?

jimcircadian commented 3 years ago

Hello

I am able to replicate this recently, it is causing some headaches with integration where the cross-protocol mapping for our storage looks up simply on the expected login-name, so it would be lovely if fixed. That said, I'm very happy to find that's there's a way past it as I thought this was insolveable!!! :-)

ldapsearch -LLL -Y GSSAPI -b 'cn=compat,dc=<domain>' '(uid=qu_xpp@<domain>)' uid 2>/dev/null
dn: uid=qu_xpp@<domain>,cn=users,cn=compat,dc=<domain>
uid: qu_xpp@<domain>

ldapsearch -LLL -Y GSSAPI -b 'cn=compat,dc=ipa,dc=<domain>' '(uid=qu_xpp)' uid 2>/dev/null
# Nothing
ipa idoverrideuser-mod "Default Trust View" qu_xpp@<domain> --desc "Another test perhaps"
------------------------------------------------------
Modified an User ID override "qu_xpp@<domain>"
------------------------------------------------------
  Anchor to override: qu_xpp@<domain>
  Description: Another test perhaps
  User login: qu_xpp
  ...
ldapsearch -LLL -Y GSSAPI -b 'cn=compat,dc=ipa,dc=<domain>' '(uid=qu_xpp)' uid 2>/dev/null
dn: uid=qu_xpp,cn=users,cn=compat,dc=ipa,dc=<domain>
uid: qu_xpp@<domain>
uid: qu_xpp

cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
rpm -q ipa-server ipa-client 389-ds-base pki-ca krb5-server slapi-nis
ipa-server-4.6.6-11.el7.centos.x86_64
ipa-client-4.6.6-11.el7.centos.x86_64
389-ds-base-1.3.10.1-14.el7_8.x86_64
pki-ca-10.5.17-6.el7.noarch
krb5-server-1.15.1-46.el7.x86_64
slapi-nis-0.56.0-13.el7.x86_64

Please do let me know if there's anything you'd like me to investigate/test/POC.

Edited 3 years ago by jimcircadian

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#7748 Inconsitent compat user objects for AD users when domain resolution order is set Opened 5 years ago by rgp. Modified 3 years ago

Close issue as:

Issue

Steps to Reproduce

Actual behavior

Expected behavior

Version/Release/Distribution

Metadata

#7748 Inconsitent compat user objects for AD users when domain resolution order is set

Opened 5 years ago by rgp. Modified 3 years ago