[Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map
Alexander Bokovoy
abokovoy at redhat.com
Mon Aug 8 14:20:52 UTC 2016
On Mon, 08 Aug 2016, thierry bordaz wrote:
>
>
>On 08/08/2016 10:56 AM, Alexander Bokovoy wrote:
>>On Mon, 08 Aug 2016, Lukas Slebodnik wrote:
>>>On (08/08/16 11:35), Alexander Bokovoy wrote:
>>>>On Mon, 08 Aug 2016, Martin Basti wrote:
>>>>>
>>>>>
>>>>>On 08.08.2016 09:34, Alexander Bokovoy wrote:
>>>>>> When SSSD resolves AD users on behalf of slapi-nis, it can
>>>>>accept any
>>>>>> user identifier, including user principal name (UPN) which may be
>>>>>> different than the canonical user name which SSSD returns.
>>>>>>
>>>>>> As result, the entry created by slapi-nis will be using
>>>>>canonical user
>>>>>> name but the filter for search will refer to the original (aliased)
>>>>>> name. The search will not match the newly created entry.
>>>>>>
>>>>>> The issue is fixed in slapi-nis-0.56.1 by returning two values for
>>>>>> 'uid' attribute: the canonical one and the aliased one. This way the
>>>>>> search will match.
>>>>>>
>>>>>> Standard LDAP schema allows multiple values for 'uid' attribute. We
>>>>>> actually use the same trick for 'cn' attribute in the groups map
>>>>>> already.
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/6138
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>Hello,
>>>>>
>>>>>should we bump requires to slapi-nis-0.56.1 in freeipa.spec?
>>>>No, this is not required. In Fedora we'll submit a combined update --
>>>>I've built slapi-nis-0.56.1-1 packages for f24, f25, and rawhide
>>>>already
>>>>but did not submit a Bodhi request.
>>>>
>>>How is combined updated related to requires to slapi-nis-0.56.1?
>>>It will not prevent tu update freeipa without new slapi-nis.
>>>
>>>e.g.
>>> dnf update freeipa-server.
>>An update file in FreeIPA that is proposed by this patch does not affect
>>operation of the older slapi-nis deployment once update is applied.
>>
>
>Hi,
>
>Is '%first' returning the first value of the attribute 'uid' ?
>If there are several values (canonical, alias,... ), does the order
>matters ?
We insert the canonical one first and it seems that 389-ds does not
change the order, at least in my tests. You can see the output in the
bug https://bugzilla.redhat.com/show_bug.cgi?id=1361123#c2
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list