On Wed, 10 Aug 2016, Alexander Bokovoy wrote:
On Wed, 10 Aug 2016, thierry bordaz wrote:
On 08/09/2016 01:38 PM, Alexander Bokovoy wrote:
On Tue, 09 Aug 2016, thierry bordaz wrote:
On 08/09/2016 12:49 PM, Martin Basti wrote:
On 08.08.2016 17:30, thierry bordaz wrote:
On 08/08/2016 05:20 PM, Alexander Bokovoy wrote:
On Mon, 08 Aug 2016, thierry bordaz wrote:
On 08/08/2016 04:20 PM, Alexander Bokovoy wrote:
On Mon, 08 Aug 2016, thierry bordaz wrote:
On 08/08/2016 10:56 AM, Alexander Bokovoy wrote:
On Mon, 08 Aug 2016, Lukas Slebodnik wrote:
On (08/08/16 11:35), Alexander Bokovoy wrote:
On Mon, 08 Aug 2016, Martin Basti wrote:
On 08.08.2016 09:34, Alexander Bokovoy wrote:
When SSSD resolves AD users on behalf of slapi-nis, it can
accept any
user identifier, including user principal
name (UPN) which may be
different than the canonical user name which SSSD returns.
As result, the entry created by slapi-nis will be using
canonical user
name but the filter for search will refer
to the original (aliased)
name. The search will not match the newly created entry.
The issue is fixed in slapi-nis-0.56.1 by
returning two values for
'uid' attribute: the canonical one and the
aliased one. This way the
search will match.
Standard LDAP schema allows multiple
values for 'uid' attribute. We
actually use the same trick for 'cn'
attribute in the groups map
already.
https://fedorahosted.org/freeipa/ticket/6138
Hello,
should we bump requires to slapi-nis-0.56.1 in freeipa.spec?
No, this is not required. In Fedora we'll
submit a combined update --
I've built slapi-nis-0.56.1-1 packages for
f24, f25, and rawhide already
but did not submit a Bodhi request.
How is combined updated related to requires to slapi-nis-0.56.1?
It will not prevent tu update freeipa without new slapi-nis.
e.g.
dnf update freeipa-server.
An update file in FreeIPA that is proposed by this
patch does not affect
operation of the older slapi-nis deployment once
update is applied.
Hi,
Is '%first' returning the first value of the attribute 'uid' ?
If there are several values (canonical, alias,... ),
does the order matters ?
We insert the canonical one first and it seems that 389-ds does not
change the order, at least in my tests. You can see
the output in the
bug https://bugzilla.redhat.com/show_bug.cgi?id=1361123#c2
From ldap pov
(https://tools.ietf.org/html/rfc4511#section-4.1.7) the
order of the values is not preserved.
I think it is a bit risky to rely on a specific order
especially with complex updates (adding several values
in a single mod, replace) and replication.
would it help to add canonical value with a subtype
(e.g. 'uid;canonical: <value>') ?
Not sure how what you are mention is relevant here. We talk about
slapi-nis map cache entries which are not modified, replaced or
replicated anywhere by anything other than slapi-nis itself. When
entries are changed by slapi-nis, they are regenerated from scratch.
Your worries do not apply here.
ok.
I understand my mistake, I was thinking the compat entry had
a associated real entry in ldap and this real entry had two
uid values.
So, could you provide ack thierry?
Martin
Sure but I would have to test first :-)
Alexander, how can I test this ?
slapi-nis 0.56.1-1 packages are available in koji for f24-f26:
http://koji.fedoraproject.org/koji/packageinfo?packageID=6609
Thanks Alexander. So to test this change is there an other way
(simpler) than setting up AD/trust ?
I don't think so. We don't have UPNs in FreeIPA on the level of identity
lookups and we don't allow to lookup identity by email, so you are left
with using a proper AD trust and UPN suffixes in AD forest.
Attached is an updated patch that adds versioned require of slapi-nis
which supports the feature.
--
/ Alexander Bokovoy
From 4a75c02c66e2ecacb0cb3b6e8c2255805e9f68b5 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Thu, 4 Aug 2016 09:58:50 +0300
Subject: [PATCH 2/5] support multiple uid values in schema compatibility tree
---
freeipa.spec.in | 4 +++-
install/updates/10-schema_compat.update | 4 ++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 78ab8ca..c8146e1 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -12,9 +12,11 @@
%if 0%{?rhel}
%global samba_version 4.0.5-1
%global selinux_policy_version 3.12.1-153
+%global slapi_nis_version 0.56.0-4
%else
%global samba_version 2:4.0.5-1
%global selinux_policy_version 3.13.1-158.4
+%global slapi_nis_version 0.56.1
%endif
%define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel |
grep -Eo '^[^.]+\.[^.]+')
@@ -157,7 +159,7 @@ Requires(pre): systemd-units
Requires(post): systemd-units
Requires: selinux-policy >= %{selinux_policy_version}
Requires(post): selinux-policy-base >= %{selinux_policy_version}
-Requires: slapi-nis >= 0.56.0
+Requires: slapi-nis >= %{slapi_nis_version}
Requires: pki-ca >= 10.3.3-3
Requires: pki-kra >= 10.3.3-3
Requires(preun): python systemd-units
diff --git a/install/updates/10-schema_compat.update
b/install/updates/10-schema_compat.update
index e4c257d..fbe8703 100644
--- a/install/updates/10-schema_compat.update
+++ b/install/updates/10-schema_compat.update
@@ -87,3 +87,7 @@ add:schema-compat-entry-attribute:
%ifeq("ipauniqueid","%{ipauniqueid}","objectc
add:schema-compat-entry-attribute:
%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
add:schema-compat-entry-attribute:
%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
+
+dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
+add:schema-compat-entry-attribute: uid=%{uid}
+replace:schema-compat-entry-rdn: uid=%{uid}::uid=%first("%{uid}")
--
2.7.4
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
