Issue #8661: ipasam: allow search of users by user principal name (UPN) - freeipa

freeipa

#8661 ipasam: allow search of users by user principal name (UPN)

Closed: fixed 3 years ago by rcritten. Opened 3 years ago by abbra.

lookup_name() in Samba may call PASSDB API to search by a UPN (e.g. username@suffix). Support this call by detecting '@' in the passed name and setting up filter to be

(&(objectClass=ipaNTUserAttrs)(objectClass=krbPrincipalAux) krbPrincipalName:caseIgnoreIA5Match:=%s))

instead of

  (&(objectClass=ipaNTUserAttrs)(uid=%s))

The result of the search would still contain a proper user entry as we always have krbPrincipalName in LDAP entries of IPA users. Note that the match must be case-insensitive because otherwise krbPrincipalName is matched with exact case in the schema. We use the same matching override in KDB driver already.

rcritten commented 3 years ago

master:

968f8ad ipa-kdb: provide correct logon time in MS-PAC from authentication time
e6f8d8b ipasam: implement PASSDB getgrnam call
7588251 ipasam: allow search of users by user principal name (UPN)
a1e2fe9 ipasam: free trusted domain context on failure
08d7d90 ipasam: derive parent domain for subdomains automatically
214aeb7 ipaserver/dcerpc: store forest topology as a blob in ipasam
9d19c08 ipatests: use fully qualified name for AD admin when establishing trust
9424256 Update ipa_sam.c
ae7cd47 trust-fetch-domains: use custom krb5.conf overlay for all trust operations
54e5ffc use a constant instead of /var/lib/sss/keytabs

rcritten commented 3 years ago

ipa-4-9:

f8bf374 ipa-kdb: provide correct logon time in MS-PAC from authentication time
962052a ipasam: implement PASSDB getgrnam call
2e8eb0f ipasam: allow search of users by user principal name (UPN)
e8f927d ipasam: free trusted domain context on failure
f103172 ipasam: derive parent domain for subdomains automatically
3d706b6 ipaserver/dcerpc: store forest topology as a blob in ipasam
dc16c24 ipatests: use fully qualified name for AD admin when establishing trust
b535924 Update ipa_sam.c
c842d4b trust-fetch-domains: use custom krb5.conf overlay for all trust operations
9f63afb use a constant instead of /var/lib/sss/keytabs

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata

Assignee

abbra

Tags

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#8661 ipasam: allow search of users by user principal name (UPN) Closed: fixed 3 years ago by rcritten. Opened 3 years ago by abbra.

Metadata

trust

#8661 ipasam: allow search of users by user principal name (UPN)

Closed: fixed 3 years ago by rcritten. Opened 3 years ago by abbra.