When SSSD resolves AD users on behalf of slapi-nis, it can accept any user identifier, including user principal name (UPN) which may be different than the canonical user name which SSSD returns.
As result, the entry created by slapi-nis will be using canonical user name but the filter for search will refer to the original (aliased) name. The search will not match the newly created entry. The issue is fixed in slapi-nis-0.56.1 by returning two values for 'uid' attribute: the canonical one and the aliased one. This way the search will match. Standard LDAP schema allows multiple values for 'uid' attribute. We actually use the same trick for 'cn' attribute in the groups map already. https://fedorahosted.org/freeipa/ticket/6138 -- / Alexander Bokovoy
From 359328c45465c25a2c34629511bf30097b0b8b0a Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <[email protected]> Date: Thu, 4 Aug 2016 09:58:50 +0300 Subject: support multiple uid values in schema compatibility tree When SSSD resolves AD users on behalf of slapi-nis, it can accept any user identifier, including user principal name (UPN) which may be different than the canonical user name which SSSD returns. As result, the entry created by slapi-nis will be using canonical user name but the filter for search will refer to the original (aliased) name. The search will not match the newly created entry. The issue is fixed in slapi-nis-0.56.1 by returning two values for 'uid' attribute: the canonical one and the aliased one. This way the search will match. Standard LDAP schema allows multiple values for 'uid' attribute. https://fedorahosted.org/freeipa/ticket/6138 --- install/updates/10-schema_compat.update | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update index e4c257d..fbe8703 100644 --- a/install/updates/10-schema_compat.update +++ b/install/updates/10-schema_compat.update @@ -87,3 +87,7 @@ add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectc add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","") add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") + +dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config +add:schema-compat-entry-attribute: uid=%{uid} +replace:schema-compat-entry-rdn: uid=%{uid}::uid=%first("%{uid}") -- 2.7.4
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
