Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1361119 - UPN-based search for AD users does not match an entry in slapi-nis map cache
Summary: UPN-based search for AD users does not match an entry in slapi-nis map cache
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks: 1361123
TreeView+ depends on / blocked
 
Reported: 2016-07-28 11:27 UTC by Alexander Bokovoy
Modified: 2016-11-04 05:59 UTC (History)
7 users (show)

Fixed In Version: ipa-4.4.0-7.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1361123 (view as bug list)
Environment:
Last Closed: 2016-11-04 05:59:32 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Alexander Bokovoy 2016-07-28 11:27:06 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6138



When SSSD resolves AD users on behalf of slapi-nis, it can accept any user identifier, including user principal name (UPN) which may be different than the canonical user name which SSSD returns.

As result, the entry created by slapi-nis will be using canonical user name but the filter for search will refer to the original (aliased) name. The search will not match the newly created entry.

The issue can be fixed by returning two values for 'uid' attribute: the canonical one and the aliased one. This way the search will match. This is what ticket https://fedorahosted.org/slapi-nis/ticket/12 will do on slapi-nis side.

On FreeIPA side an update is needed to cn=users,cn=compat,$suffix definition to allow multiple 'uid' values because RDN generation function expects a single value of 'uid' attribute.

A change is to add explicit 'uid' attribute generation and change rdn processing to use %first() function:
{{{
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
cn: users
objectClass: top
objectClass: extensibleObject
schema-compat-container-group: cn=compat, dc=ipa,dc=ad,dc=test
schema-compat-container-rdn: cn=users
schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
schema-compat-entry-attribute: cn=%{cn}
schema-compat-entry-attribute: objectclass=posixAccount
schema-compat-entry-attribute: gidNumber=%{gidNumber}
schema-compat-entry-attribute: gecos=%{cn}
schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:ipa.ad.test:%{ipauniqueid}","")
schema-compat-entry-attribute: uidNumber=%{uidNumber}
schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")
schema-compat-entry-attribute: loginShell=%{loginShell}
schema-compat-entry-attribute: homeDirectory=%{homeDirectory}
schema-compat-entry-attribute: uid=%{uid}
schema-compat-entry-rdn: uid=%first("%{uid}")
schema-compat-ignore-subtree: cn=dna,cn=ipa,cn=etc,$SUFFIX
schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config
schema-compat-restrict-subtree: $SUFFIX
schema-compat-search-base: cn=users, cn=accounts, $SUFFIX
schema-compat-search-filter: objectclass=posixAccount
schema-compat-lookup-nsswitch: user
}}}

Comment 2 Sudhir Menon 2016-08-23 11:31:07 UTC
Fix is seen. Verified on RHEL7.3 using

ipa-server-4.4.0-8.el7.x86_64
sssd-1.14.0-27.el7.x86_64
slapi-nis-0.56.0-4.el7.x86_64

[root@client sssd]# id test2@pne.qe
uid=558001486(test2@pne.qe) gid=558001486(test2@pne.qe) groups=558001486(test2@pne.qe),558000513(domain users@pne.qe),558001488(sales@pne.qe)

[root@client sssd]# id test2@qa.io
uid=558001486(test2@pne.qe) gid=558001486(test2@pne.qe) groups=558001486(test2@pne.qe),558000513(domain users@pne.qe),558001488(sales@pne.qe)
------------------------------------------
[root@client sssd]# getent passwd test2@qa.io
test2@pne.qe:*:558001486:558001486:test2:/home/pne.qe/test2:

[root@client sssd]# getent passwd test2@pne.qe
test2@pne.qe:*:558001486:558001486:test2:/home/pne.qe/test2:
-------------------------------
[root@ipaserver sssd]# ldapsearch -Y GSSAPI -b cn=compat,dc=redlabs,dc=qe '(&(objectclass=posixaccount)(uid=test2@qa.io))'
SASL/GSSAPI authentication started
SASL username: admin@REDLABS.QE
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=redlabs,dc=qe> with scope subtree
# filter: (&(objectclass=posixaccount)(uid=test2@qa.io))
# requesting: ALL
#

# test2@pne.qe, users, compat, redlabs.qe
dn: uid=test2@pne.qe,cn=users,cn=compat,dc=redlabs,dc=qe
objectClass: ipaOverrideTarget
objectClass: posixAccount
objectClass: top
cn: test2
gidNumber: 558001486
gecos: test2
ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0zOTEyNzE5NTIxLTE5Njc1OTAzNjAtMTEzNjIyNjUyNC
 0xNDg2
uidNumber: 558001486
homeDirectory: /home/pne.qe/test2
uid: test2@pne.qe
uid: test2@qa.io

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1

Comment 3 Martin Bašti 2016-08-25 08:36:38 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/fab1f798ed6dfdb0b7de7c4fc4fe353f1d97177b

Comment 5 Sudhir Menon 2016-09-15 09:26:26 UTC
Marking the bug verified as per comment2.

Comment 7 errata-xmlrpc 2016-11-04 05:59:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.