Bug 1309745 - Support multiple principals for IPA users
Support multiple principals for IPA users
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: SSSD Maintainers
Steeve Goveas
Aneta Šteflová Petrová
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-18 10:25 EST by Jakub Hrozek
Modified: 2016-11-04 03:16 EDT (History)
9 users (show)

See Also:
Fixed In Version: sssd-1.14.0-14.el7
Doc Type: Enhancement
Doc Text:
See Doc Text for BZ#1328552
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-04 03:16:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jakub Hrozek 2016-02-18 10:25:00 EST
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2958

This is SSSD part of FreeIPA ticket #5413. When IPA allows multiple principals, we will need to store multi-valued UPN attribute and pick the right one.

The use-cases are supporting a legal name change and supporting authentication by e-mail address.
Comment 1 Jakub Hrozek 2016-07-29 09:10:08 EDT
* master:
    * 0d5d490fb5ec685fd8ef7a75e612e6ec7ef6bde3
    * 83a796ec8de4bde65b11cc8032675406950641fa
    * 78677495a7762469002b0976809fa20ac2196f42
    * ba9ebfc49ab3bacb96213c8620411128c09f39da
    * 91767924bdf9b5a28e8902206a40348d6c83a139
    * 04d4c4d45f3942a813b7f772737f801f877f4e64
    * 9a310913d696d190db14c625080678db853a33fd
    * 447b1da857368678990b54cd6b9cfed940357c44
    * 3381d9736b698d6111d10e219a0b5b898a4c757c
    * 62df78512145db94b51c5573d4df1737197e368a
    * 9b8fcf685c5ca70a5067a621385bcdc8d9fd6469
    * 15694ca762f61a414f0017c57ed97a8d57456b80
    * 50a7a92f92e1584702bf25e61a50cb1c09c7e260
Comment 3 Jakub Hrozek 2016-09-11 15:58:22 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2856
Comment 4 Xiyang Dong 2016-09-21 09:02:50 EDT
Verified on sssd-1.14.0-41.el7:
# ipa user-add tuser --first test --last user --password
Password: 
Enter Password again to verify: 
------------------
Added user "tuser"
------------------
  User login: tuser
  First name: test
  Last name: user
  Full name: test user
  Display name: test user
  Initials: tu
  Home directory: /home/tuser
  GECOS: test user
  Login shell: /bin/sh
  Principal name: tuser@TESTRELM
  Principal alias: tuser@TESTRELM
  Email address: tuser@testrelm.test
  UID: 1669000001
  GID: 1669000001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
# kinit tuser
Password for tuser@TESTRELM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

# kinit admin
Password for admin@TESTRELM: 
# ipa user-add-principal tuser talias talias\\@ent.test
---------------------------------
Added new aliases to user "tuser"
---------------------------------
  User login: tuser
  Principal alias: talias@TESTRELM, talias\@ent.test@TESTRELM, tuser@TESTRELM
# kinit talias 
Password for talias@TESTRELM: 
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_5ks0oe9
Default principal: tuser@TESTRELM

Valid starting       Expires              Service principal
08/21/2016 23:38:33  08/22/2016 23:38:30  krbtgt/TESTRELM@TESTRELM

# kinit -C talias
Password for talias@TESTRELM: 
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_OhZfJlN
Default principal: tuser@TESTRELM

Valid starting       Expires              Service principal
08/21/2016 23:39:00  08/22/2016 23:38:54  krbtgt/TESTRELM@TESTRELM

# kinit talias\\@ent.test
Password for talias\@ent.test@TESTRELM: 
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_2HXMy3a
Default principal: tuser@TESTRELM

Valid starting       Expires              Service principal
08/21/2016 23:40:02  08/22/2016 23:39:59  krbtgt/TESTRELM@TESTRE

# kinit -E talias@ent.test
Password for talias\@ent.test@TESTRELM: 
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_JEDF6Xy
Default principal: tuser@TESTRELM

Valid starting       Expires              Service principal
08/21/2016 23:40:37  08/22/2016 23:40:34  krbtgt/TESTRELM@TESTRELM
Comment 10 errata-xmlrpc 2016-11-04 03:16:13 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html

Note You need to log in before you can comment on or make changes to this bug.