[Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

Alexander Bokovoy abokovoy at redhat.com
Wed Aug 10 10:51:31 UTC 2016 

On Wed, 10 Aug 2016, Alexander Bokovoy wrote:
>On Wed, 10 Aug 2016, thierry bordaz wrote:
>>
>>
>>On 08/09/2016 01:38 PM, Alexander Bokovoy wrote:
>>>On Tue, 09 Aug 2016, thierry bordaz wrote:
>>>>
>>>>
>>>>On 08/09/2016 12:49 PM, Martin Basti wrote:
>>>>>
>>>>>
>>>>>On 08.08.2016 17:30, thierry bordaz wrote:
>>>>>>
>>>>>>
>>>>>>On 08/08/2016 05:20 PM, Alexander Bokovoy wrote:
>>>>>>>On Mon, 08 Aug 2016, thierry bordaz wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>On 08/08/2016 04:20 PM, Alexander Bokovoy wrote:
>>>>>>>>>On Mon, 08 Aug 2016, thierry bordaz wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>On 08/08/2016 10:56 AM, Alexander Bokovoy wrote:
>>>>>>>>>>>On Mon, 08 Aug 2016, Lukas Slebodnik wrote:
>>>>>>>>>>>>On (08/08/16 11:35), Alexander Bokovoy wrote:
>>>>>>>>>>>>>On Mon, 08 Aug 2016, Martin Basti wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>On 08.08.2016 09:34, Alexander Bokovoy wrote:
>>>>>>>>>>>>>>>When SSSD resolves AD users on behalf of slapi-nis, it can
>>>>>>>>>>>>>>accept any
>>>>>>>>>>>>>>>user identifier, including user principal 
>>>>>>>>>>>>>>>name (UPN) which may be
>>>>>>>>>>>>>>>different than the canonical user name which SSSD returns.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>As result, the entry created by slapi-nis will be using
>>>>>>>>>>>>>>canonical user
>>>>>>>>>>>>>>>name but the filter for search will refer 
>>>>>>>>>>>>>>>to the original (aliased)
>>>>>>>>>>>>>>>name. The search will not match the newly created entry.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>The issue is fixed  in slapi-nis-0.56.1 by 
>>>>>>>>>>>>>>>returning two values for
>>>>>>>>>>>>>>>'uid' attribute: the canonical one and the 
>>>>>>>>>>>>>>>aliased one. This way the
>>>>>>>>>>>>>>>search will match.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>Standard LDAP schema allows multiple 
>>>>>>>>>>>>>>>values for 'uid' attribute. We
>>>>>>>>>>>>>>>actually use the same trick for 'cn' 
>>>>>>>>>>>>>>>attribute in the groups map
>>>>>>>>>>>>>>>already.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>https://fedorahosted.org/freeipa/ticket/6138
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>Hello,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>should we bump requires to slapi-nis-0.56.1 in freeipa.spec?
>>>>>>>>>>>>>No, this is not required. In Fedora we'll 
>>>>>>>>>>>>>submit a combined update --
>>>>>>>>>>>>>I've built slapi-nis-0.56.1-1 packages for 
>>>>>>>>>>>>>f24, f25, and rawhide already
>>>>>>>>>>>>>but did not submit a Bodhi request.
>>>>>>>>>>>>>
>>>>>>>>>>>>How is combined updated related to requires to slapi-nis-0.56.1?
>>>>>>>>>>>>It will not prevent tu update freeipa without new slapi-nis.
>>>>>>>>>>>>
>>>>>>>>>>>>e.g.
>>>>>>>>>>>>dnf update freeipa-server.
>>>>>>>>>>>An update file in FreeIPA that is proposed by this 
>>>>>>>>>>>patch does not affect
>>>>>>>>>>>operation of the older slapi-nis deployment once 
>>>>>>>>>>>update is applied.
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>Hi,
>>>>>>>>>>
>>>>>>>>>>Is '%first' returning the first value of the attribute 'uid' ?
>>>>>>>>>>If there are several values (canonical, alias,... ), 
>>>>>>>>>>does the order matters ?
>>>>>>>>>We insert the canonical one first and it seems that 389-ds does not
>>>>>>>>>change the order, at least in my tests. You can see 
>>>>>>>>>the output in the
>>>>>>>>>bug https://bugzilla.redhat.com/show_bug.cgi?id=1361123#c2
>>>>>>>>
>>>>>>>>From ldap pov 
>>>>>>>>(https://tools.ietf.org/html/rfc4511#section-4.1.7) the 
>>>>>>>>order of the values is not preserved.
>>>>>>>>I think it is a bit risky to rely on a specific order 
>>>>>>>>especially with complex updates (adding several values 
>>>>>>>>in a single mod, replace) and replication.
>>>>>>>>would it help to add canonical value with a subtype 
>>>>>>>>(e.g. 'uid;canonical: <value>') ?
>>>>>>>Not sure how what you are mention is relevant here. We talk about
>>>>>>>slapi-nis map cache entries which are not modified, replaced or
>>>>>>>replicated anywhere by anything other than slapi-nis itself. When
>>>>>>>entries are changed by slapi-nis, they are regenerated from scratch.
>>>>>>>
>>>>>>>Your worries do not apply here.
>>>>>>ok.
>>>>>>I understand my mistake, I was thinking the compat entry had 
>>>>>>a associated real entry in ldap and this real entry had two 
>>>>>>uid values.
>>>>>>
>>>>>
>>>>>So, could you provide ack thierry?
>>>>>
>>>>>Martin
>>>>
>>>>Sure but I would have to test first :-)
>>>>
>>>>Alexander, how can I test this ?
>>>slapi-nis 0.56.1-1 packages are available in koji for f24-f26:
>>>http://koji.fedoraproject.org/koji/packageinfo?packageID=6609
>>
>>Thanks Alexander. So to test this change is there an other way 
>>(simpler) than setting up AD/trust ?
>I don't think so. We don't have UPNs in FreeIPA on the level of identity
>lookups and we don't allow to lookup identity by email, so you are left
>with using a proper AD trust and UPN suffixes in AD forest.
Attached is an updated patch that adds versioned require of slapi-nis
which supports the feature.


-- 
/ Alexander Bokovoy
-------------- next part --------------
From 4a75c02c66e2ecacb0cb3b6e8c2255805e9f68b5 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Thu, 4 Aug 2016 09:58:50 +0300
Subject: [PATCH 2/5] support multiple uid values in schema compatibility tree

---
 freeipa.spec.in                         | 4 +++-
 install/updates/10-schema_compat.update | 4 ++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 78ab8ca..c8146e1 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -12,9 +12,11 @@
 %if 0%{?rhel}
 %global samba_version 4.0.5-1
 %global selinux_policy_version 3.12.1-153
+%global slapi_nis_version 0.56.0-4
 %else
 %global samba_version 2:4.0.5-1
 %global selinux_policy_version 3.13.1-158.4
+%global slapi_nis_version 0.56.1
 %endif
 
 %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
@@ -157,7 +159,7 @@ Requires(pre): systemd-units
 Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
-Requires: slapi-nis >= 0.56.0
+Requires: slapi-nis >= %{slapi_nis_version}
 Requires: pki-ca >= 10.3.3-3
 Requires: pki-kra >= 10.3.3-3
 Requires(preun): python systemd-units
diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update
index e4c257d..fbe8703 100644
--- a/install/updates/10-schema_compat.update
+++ b/install/updates/10-schema_compat.update
@@ -87,3 +87,7 @@ add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectc
 add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
 add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
 add:schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
+
+dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
+add:schema-compat-entry-attribute: uid=%{uid}
+replace:schema-compat-entry-rdn: uid=%{uid}::uid=%first("%{uid}")
-- 
2.7.4

More information about the Freeipa-devel mailing list