+++ This bug was initially created as a clone of Bug #1361119 +++ This bug is created as a clone of upstream ticket: https://fedorahosted.org/slapi-nis/ticket/12 When SSSD resolves AD users on behalf of slapi-nis, it can accept any user identifier, including user principal name (UPN) which may be different than the canonical user name which SSSD returns. As result, the entry created by slapi-nis will be using canonical user name but the filter for search will refer to the original (aliased) name. The search will not match the newly created entry. The issue can be fixed by returning two values for 'uid' attribute: the canonical one and the aliased one. This way the search will match. This is what ticket https://fedorahosted.org/slapi-nis/ticket/12 will do on slapi-nis side. On FreeIPA side an update is needed to cn=users,cn=compat,$suffix definition to allow multiple 'uid' values because RDN generation function expects a single value of 'uid' attribute. A change is to add explicit 'uid' attribute generation and change rdn processing to use %first() function: {{{ dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config cn: users objectClass: top objectClass: extensibleObject schema-compat-container-group: cn=compat, dc=ipa,dc=ad,dc=test schema-compat-container-rdn: cn=users schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") schema-compat-entry-attribute: cn=%{cn} schema-compat-entry-attribute: objectclass=posixAccount schema-compat-entry-attribute: gidNumber=%{gidNumber} schema-compat-entry-attribute: gecos=%{cn} schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:ipa.ad.test:%{ipauniqueid}","") schema-compat-entry-attribute: uidNumber=%{uidNumber} schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") schema-compat-entry-attribute: loginShell=%{loginShell} schema-compat-entry-attribute: homeDirectory=%{homeDirectory} schema-compat-entry-attribute: uid=%{uid} schema-compat-entry-rdn: uid=%first("%{uid}") schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config schema-compat-restrict-subtree: $SUFFIX schema-compat-search-base: cn=users, cn=accounts, $SUFFIX schema-compat-search-filter: objectclass=posixAccount schema-compat-lookup-nsswitch: user }}}
Please provide the steps to verify this.
When both slapi-nis and IdM are fixed, the code below should be working on the client, using LDAP provider in SSSD, looking at the cn=compat tree of the IPA server. This requires that you have additional UPNs defined for the users in Active Directory (in my case I have additional name suffix BLACKSMITH and it is associated witht the user on AD side). # systemctl restart sssd # id abbra@blacksmith uid=1115001114(abbra) gid=1115001114(abbra) groups=1115001114(abbra),1115000513(domain users) # getent passwd abbra@blacksmith abbra:*:1115001114:1115001114:Alexander Bokovoy:/home/ad.test/abbra: SSSD should be able to return primary uid in response to UPN-based lookup. On the server: # ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=ad,dc=test '(&(objectclass=posixaccount)(uid=abbra@blacksmith))' SASL/GSSAPI authentication started SASL username: Administrator SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=compat,dc=ipa,dc=ad,dc=test> with scope subtree # filter: (&(objectclass=posixaccount)(uid=abbra@blacksmith)) # requesting: ALL # # abbra, users, compat, ipa.ad.test dn: uid=abbra,cn=users,cn=compat,dc=ipa,dc=ad,dc=test objectClass: ipaOverrideTarget objectClass: posixAccount objectClass: top cn: Alexander Bokovoy gidNumber: 1115001114 gecos: Alexander Bokovoy ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0yMjc1MzYxNjU0LTMzOTMzNTMwNjgtMzcyMDEzNDkzNi 0xMTE0 uidNumber: 1115001114 uid: abbra uid: abbra@blacksmith homeDirectory: /home/ad.test/abbra # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 As you can see, now multiple two uid values show up in the entry -- the original one and the UPN one. This is allowed by the original LDAP schema and SSSD/nss_ldap seem to deal with it just fine.
Fix is seen. Verified on RHEL7.3 using ipa-server-4.4.0-8.el7.x86_64 sssd-1.14.0-27.el7.x86_64 slapi-nis-0.56.0-4.el7.x86_64 [root@client sssd]# id test2 uid=558001486(test2) gid=558001486(test2) groups=558001486(test2),558000513(domain users),558001488(sales) [root@client sssd]# id test2 uid=558001486(test2) gid=558001486(test2) groups=558001486(test2),558000513(domain users),558001488(sales) ------------------------------------------ [root@client sssd]# getent passwd test2 test2:*:558001486:558001486:test2:/home/pne.qe/test2: [root@client sssd]# getent passwd test2 test2:*:558001486:558001486:test2:/home/pne.qe/test2: ------------------------------- [root@ipaserver sssd]# ldapsearch -Y GSSAPI -b cn=compat,dc=redlabs,dc=qe '(&(objectclass=posixaccount)(uid=test2))' SASL/GSSAPI authentication started SASL username: admin SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=compat,dc=redlabs,dc=qe> with scope subtree # filter: (&(objectclass=posixaccount)(uid=test2)) # requesting: ALL # # test2, users, compat, redlabs.qe dn: uid=test2,cn=users,cn=compat,dc=redlabs,dc=qe objectClass: ipaOverrideTarget objectClass: posixAccount objectClass: top cn: test2 gidNumber: 558001486 gecos: test2 ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0zOTEyNzE5NTIxLTE5Njc1OTAzNjAtMTEzNjIyNjUyNC 0xNDg2 uidNumber: 558001486 homeDirectory: /home/pne.qe/test2 uid: test2 uid: test2 # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2471.html