I can create two users in IPA with same names:
ipa user-add user1 --first Test --last User ipa user-add user2 --first Test --last User
It is totally fine for people to have same names.
But GC instance will contain record only for the first one. In globalcatalog.log there is error:
2020-10-14T09:27:53Z 33784 MainThread ipaserver.globalcatalog.gcsyncer ERROR Entry CN=Test User,CN=Users,dc=testrelm,dc=test already exists
The root cause is not the (first, last) combination but rather the identical cn.
If the cn attribute isn't explicitely set during ipa user-add with the --cn option, the user plugin automatically creates the cn attribute by concatenating givenname (=first) and sn (=last) (here in ipaserver/plugins/user.py).
cn
ipa user-add
--cn
givenname
ipaserver/plugins/user.py
FreeIPA doesn't enforce unicity of the cn attribute but GC does. It doesn't look acceptable to add this constraint to the main LDAP instance, and the best mitigation IMO was at least to log an error. I agree it's not optimal but don't have any solution so far.
What about creating an ipa-healthcheck test for this kind of situation under trust set of tests?
We can also add a validation to user-add that verifies this and adds a warning to the response in case GC is enabled.
Login to comment on this ticket.