<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 08.08.2016 09:34, Alexander Bokovoy
wrote:<br>
</div>
<blockquote cite="mid:20160808073457.vrcrunrodu5px433@redhat.com"
type="cite">When SSSD resolves AD users on behalf of slapi-nis, it
can accept any
<br>
user identifier, including user principal name (UPN) which may be
<br>
different than the canonical user name which SSSD returns.
<br>
<br>
As result, the entry created by slapi-nis will be using canonical
user
<br>
name but the filter for search will refer to the original
(aliased)
<br>
name. The search will not match the newly created entry.
<br>
<br>
The issue is fixed in slapi-nis-0.56.1 by returning two values
for
<br>
'uid' attribute: the canonical one and the aliased one. This way
the
<br>
search will match.
<br>
<br>
Standard LDAP schema allows multiple values for 'uid' attribute.
We
<br>
actually use the same trick for 'cn' attribute in the groups map
<br>
already.
<br>
<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/6138">https://fedorahosted.org/freeipa/ticket/6138</a>
<br>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
Hello, <br>
<br>
should we bump requires to slapi-nis-0.56.1 in freeipa.spec?<br>
<br>
Martin^2<br>
</body>
</html>