#7748 Inconsitent compat user objects for AD users when domain resolution order is set
Opened 9 months ago by rgp. Modified 3 months ago

Issue

When DRO is set, I can search for an AD user in the compat tree with both uid=user@domain and uid=user. However, the resulting user object will differ depending on which way I used to search for it.

Steps to Reproduce

  1. Set DRO to ipa.addomain.com:addomain.com, clear sssd cache
  2. Setup an idoverrideuser for AD user. jsmith in this example

(using idoverrideuser-mod here to clear the existing user object from the compat tree)

Searching for (uid=jsmith@addomain.com) first

[root@ipaserver ~]# ipa idoverrideuser-mod "Default Trust View" jsmith@addomain.com --desc TEST1
------------------------------------------------------
Modified an User ID override "jsmith@addomain.com"
------------------------------------------------------
  Anchor to override: jsmith@addomain.com
  Description: TEST1
  UID: 12345
  Home directory: /home/jsmith
  Login shell: /bin/bash
[root@ipaserver ~]# ldapsearch -LLL -Y GSSAPI -b 'cn=compat,dc=ipa,dc=addomain,dc=com' '(uid=jsmith@addomain.com)' uid 2>/dev/null
dn: uid=jsmith@addomain.com,cn=users,cn=compat,dc=ipa,dc=addomain,dc=com
uid: jsmith@addomain.com

[root@ipaserver ~]# ldapsearch -LLL -Y GSSAPI -b 'cn=compat,dc=ipa,dc=addomain,dc=com' '(uid=jsmith)' uid 2>/dev/null

Searching for (uid=jsmith) first

[root@ipaserver ~]# ipa idoverrideuser-mod "Default Trust View" jsmith@addomain.com --desc TEST2
------------------------------------------------------
Modified an User ID override "jsmith@addomain.com"
------------------------------------------------------
  Anchor to override: jsmith@addomain.com
  Description: TEST2
  UID: 12345
  Home directory: /home/jsmith
  Login shell: /bin/bash
[root@ipaserver ~]# ldapsearch -LLL -Y GSSAPI -b 'cn=compat,dc=ipa,dc=addomain,dc=com' '(uid=jsmith)' uid 2>/dev/null
dn: uid=jsmith,cn=users,cn=compat,dc=ipa,dc=addomain,dc=com
uid: jsmith@addomain.com
uid: jsmith

[root@ipaserver ~]# ldapsearch -LLL -Y GSSAPI -b 'cn=compat,dc=ipa,dc=addomain,dc=com' '(uid=jsmith@addomain.com)' uid 2>/dev/null
dn: uid=jsmith,cn=users,cn=compat,dc=ipa,dc=addomain,dc=com
uid: jsmith@addomain.com
uid: jsmith

Actual behavior

compat user object will have 2 uid values and a different RDN when searched for with (uid=username)

Expected behavior

compat user object is the same regardless of how its searched for it

Version/Release/Distribution

# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core
# rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.5.4-10.el7.centos.3.x86_64
ipa-client-4.5.4-10.el7.centos.3.x86_64
389-ds-base-1.3.7.5-25.el7_5.x86_64
pki-ca-10.5.1-14.el7_5.noarch
krb5-server-1.15.1-19.el7.x86_64

I cannot replicate this on 4.6.4, so possibly fixed?

Login to comment on this ticket.

Metadata