Simon Matthews via FreeIPA-users wrote:
> I seem to get two entries every time I create new user. This is causing the
> webserver authentication to fail with the message about "User is not unique":
>
> [Tue Jan 11 20:42:16.645046 2022] [authnz_ldap:debug] [pid 21005]
> mod_authnz_ldap.c(505): [client 10.14.0.18:59704] AH01691: auth_ldap
> authenticate: using URL
> ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com?uid?sub
> [Tue Jan 11 20:42:16.810661 2022] [authnz_ldap:info] [pid 21005] [client
> 10.14.0.18:59704] AH01695: auth_ldap authenticate: user testuser
> authentication failed; URI / [User is not unique (search found two or more
> matches)][No such object]
> [Tue Jan 11 20:42:16.810715 2022] [auth_basic:error] [pid 21005] [client
> 10.14.0.18:59704] AH01618: user testuser not found: /
>
> # ipa user-add testuser
> First name: test
> Last name: user
> -
> Added user "testuser"
> -
> User login: testuser
> First name: test
> Last name: user
> Full name: test user
> Display name: test user
> Initials: tu
> Home directory: /home/testuser
> GECOS: test user
> Login shell: /bin/sh
> Principal name: testu...@ipa.bluepearlsoftware.com
> Principal alias: testu...@ipa.bluepearlsoftware.com
> Email address: testu...@ipa.bluepearlsoftware.com
> UID: 129317
> GID: 129317
> Password: False
> Member of groups: ipausers
> Kerberos keys available: False
>
>
> [root@ipa1 scripts]# ldapsearch '(uid=testuser)'
> SASL/GSSAPI authentication started
> SASL username: ad...@ipa.bluepearlsoftware.com
> SASL SSF: 256
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base (default) with scope subtree
> # filter: (uid=testuser)
> # requesting: ALL
> #
>
> # testuser, users, compat, ipa.bluepearlsoftware.com
> dn: uid=testuser,cn=users,cn=compat,dc=ipa,dc=bluepearlsoftware,dc=com
> objectClass: posixAccount
> objectClass: ipaOverrideTarget
> objectClass: ipaOverrideTarget
> objectClass: top
> gecos: test user
> cn: test user
> uidNumber: 129317
> gidNumber: 129317
> loginShell: /bin/sh
> homeDirectory: /home/testuser
> ipaAnchorUUID:: OklQQTppcGEuYmx1ZXBlYXJsc29mdHdhcmUuY29tOjBlYmM2ZGJlLTczNDgtMT
> FlYy1iNWQ5LTUyNTQwMGI1NzZmYg==
> uid: testuser
>
> # testuser, users, accounts, ipa.bluepearlsoftware.com
> dn: uid=testuser,cn=users,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com
> displayName: test user
> uid: testuser
> krbCanonicalName: testu...@ipa.bluepearlsoftware.com
> objectClass: top
> objectClass: person
> objectClass: organizationalperson
> objectClass: inetorgperson
> objectClass: inetuser
> objectClass: posixaccount
> objectClass: krbprincipalaux
> objectClass: krbticketpolicyaux
> objectClass: ipaobject
> objectClass: ipasshuser
> objectClass: ipaSshGroupOfPubKeys
> objectClass: mepOriginEntry
> loginShell: /bin/sh
> initials: tu
> gecos: test user
> sn: user
> homeDirectory: /home/testuser
> mail: testu...@ipa.bluepearlsoftware.com
> krbPrincipalName: testu...@ipa.bluepearlsoftware.com
> givenName: test
> cn: test user
> ipaUniqueID: 0ebc6dbe-7348-11ec-b5d9-525400b576fb
> uidNumber: 129317
> gidNumber: 129317
> mepManagedEntry: cn=testuser,cn=groups,cn=accounts,dc=ipa,dc=bluepearlsoftware
> ,dc=com
> memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 3
> # numEntries: 2
>
> Relevant part of Apache config file:
> LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
> LoadModule ldap_module modules/mod_ldap.so
> LoadModule authz_core_module modules/mod_authz_core.so
> LoadModule authn_core_module modules/mod_authn_core.so
> Loglevel authnz_ldap_module:debug
> LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/certs/ca.crt
>
> AuthType Basic
> AuthName "Blue Pearl"
> AuthBasicProvider ldap
> AuthLDAPURL
> ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com?uid?sub
Your URL needs to be more specific to find users, like
cn=users,cn=accounts,dc=...
Or alternatively you could add an objectclass filter, but searching the
entire tree for users is more work than necessary.
IPA maintains a separate, synthesized tree, for compatibility with
RFC2307. This is the cn=compat entry you are seeing.
I'll also note that all users are in the group ipausers. IIRC it also
has to be a dn but I could be wrong on that.
rob
> # AuthLDAPURL
> ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com
> AuthLDAPBindDN
> uid=httpbind,cn=sysaccounts,cn=etc,dc=ipa,dc=bluepearlsoftware,dc=com
> AuthLDAPBindPassword
>
> Require ldap-group ipausers
> # Require ldap-group
> AuthLDAPGroupAttributeIsDN off
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>