[Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map

[thierry bordaz]

On 08/08/2016 10:56 AM, Alexander Bokovoy wrote:
> On Mon, 08 Aug 2016, Lukas Slebodnik wrote:
>> On (08/08/16 11:35), Alexander Bokovoy wrote:
>>> On Mon, 08 Aug 2016, Martin Basti wrote:
>>>>
>>>>
>>>> On 08.08.2016 09:34, Alexander Bokovoy wrote:
>>>> > When SSSD resolves AD users on behalf of slapi-nis, it can accept 
>>>> any
>>>> > user identifier, including user principal name (UPN) which may be
>>>> > different than the canonical user name which SSSD returns.
>>>> >
>>>> > As result, the entry created by slapi-nis will be using canonical 
>>>> user
>>>> > name but the filter for search will refer to the original (aliased)
>>>> > name. The search will not match the newly created entry.
>>>> >
>>>> > The issue is fixed  in slapi-nis-0.56.1 by returning two values for
>>>> > 'uid' attribute: the canonical one and the aliased one. This way the
>>>> > search will match.
>>>> >
>>>> > Standard LDAP schema allows multiple values for 'uid' attribute. We
>>>> > actually use the same trick for 'cn' attribute in the groups map
>>>> > already.
>>>> >
>>>> > https://fedorahosted.org/freeipa/ticket/6138
>>>> >
>>>> >
>>>> >
>>>> >
>>>> Hello,
>>>>
>>>> should we bump requires to slapi-nis-0.56.1 in freeipa.spec?
>>> No, this is not required. In Fedora we'll submit a combined update --
>>> I've built slapi-nis-0.56.1-1 packages for f24, f25, and rawhide 
>>> already
>>> but did not submit a Bodhi request.
>>>
>> How is combined updated related to requires to slapi-nis-0.56.1?
>> It will not prevent tu update freeipa without new slapi-nis.
>>
>> e.g.
>>  dnf update freeipa-server.
> An update file in FreeIPA that is proposed by this patch does not affect
> operation of the older slapi-nis deployment once update is applied.
>

Hi,

Is '%first' returning the first value of the attribute 'uid' ?
If there are several values (canonical, alias,... ), does the order 
matters ?

thanks
thierry