[Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map
Alexander Bokovoy
abokovoy at redhat.com
Tue Aug 9 11:38:03 UTC 2016
On Tue, 09 Aug 2016, thierry bordaz wrote:
>
>
>On 08/09/2016 12:49 PM, Martin Basti wrote:
>>
>>
>>On 08.08.2016 17:30, thierry bordaz wrote:
>>>
>>>
>>>On 08/08/2016 05:20 PM, Alexander Bokovoy wrote:
>>>>On Mon, 08 Aug 2016, thierry bordaz wrote:
>>>>>
>>>>>
>>>>>On 08/08/2016 04:20 PM, Alexander Bokovoy wrote:
>>>>>>On Mon, 08 Aug 2016, thierry bordaz wrote:
>>>>>>>
>>>>>>>
>>>>>>>On 08/08/2016 10:56 AM, Alexander Bokovoy wrote:
>>>>>>>>On Mon, 08 Aug 2016, Lukas Slebodnik wrote:
>>>>>>>>>On (08/08/16 11:35), Alexander Bokovoy wrote:
>>>>>>>>>>On Mon, 08 Aug 2016, Martin Basti wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>On 08.08.2016 09:34, Alexander Bokovoy wrote:
>>>>>>>>>>>>When SSSD resolves AD users on behalf of slapi-nis, it can
>>>>>>>>>>>accept any
>>>>>>>>>>>>user identifier, including user principal name
>>>>>>>>>>>>(UPN) which may be
>>>>>>>>>>>>different than the canonical user name which SSSD returns.
>>>>>>>>>>>>
>>>>>>>>>>>>As result, the entry created by slapi-nis will be using
>>>>>>>>>>>canonical user
>>>>>>>>>>>>name but the filter for search will refer to the
>>>>>>>>>>>>original (aliased)
>>>>>>>>>>>>name. The search will not match the newly created entry.
>>>>>>>>>>>>
>>>>>>>>>>>>The issue is fixed in slapi-nis-0.56.1 by
>>>>>>>>>>>>returning two values for
>>>>>>>>>>>>'uid' attribute: the canonical one and the
>>>>>>>>>>>>aliased one. This way the
>>>>>>>>>>>>search will match.
>>>>>>>>>>>>
>>>>>>>>>>>>Standard LDAP schema allows multiple values for
>>>>>>>>>>>>'uid' attribute. We
>>>>>>>>>>>>actually use the same trick for 'cn' attribute
>>>>>>>>>>>>in the groups map
>>>>>>>>>>>>already.
>>>>>>>>>>>>
>>>>>>>>>>>>https://fedorahosted.org/freeipa/ticket/6138
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>Hello,
>>>>>>>>>>>
>>>>>>>>>>>should we bump requires to slapi-nis-0.56.1 in freeipa.spec?
>>>>>>>>>>No, this is not required. In Fedora we'll submit a
>>>>>>>>>>combined update --
>>>>>>>>>>I've built slapi-nis-0.56.1-1 packages for f24, f25,
>>>>>>>>>>and rawhide already
>>>>>>>>>>but did not submit a Bodhi request.
>>>>>>>>>>
>>>>>>>>>How is combined updated related to requires to slapi-nis-0.56.1?
>>>>>>>>>It will not prevent tu update freeipa without new slapi-nis.
>>>>>>>>>
>>>>>>>>>e.g.
>>>>>>>>>dnf update freeipa-server.
>>>>>>>>An update file in FreeIPA that is proposed by this patch
>>>>>>>>does not affect
>>>>>>>>operation of the older slapi-nis deployment once update is applied.
>>>>>>>>
>>>>>>>
>>>>>>>Hi,
>>>>>>>
>>>>>>>Is '%first' returning the first value of the attribute 'uid' ?
>>>>>>>If there are several values (canonical, alias,... ), does
>>>>>>>the order matters ?
>>>>>>We insert the canonical one first and it seems that 389-ds does not
>>>>>>change the order, at least in my tests. You can see the output in the
>>>>>>bug https://bugzilla.redhat.com/show_bug.cgi?id=1361123#c2
>>>>>
>>>>>From ldap pov
>>>>>(https://tools.ietf.org/html/rfc4511#section-4.1.7) the order
>>>>>of the values is not preserved.
>>>>>I think it is a bit risky to rely on a specific order
>>>>>especially with complex updates (adding several values in a
>>>>>single mod, replace) and replication.
>>>>>would it help to add canonical value with a subtype (e.g.
>>>>>'uid;canonical: <value>') ?
>>>>Not sure how what you are mention is relevant here. We talk about
>>>>slapi-nis map cache entries which are not modified, replaced or
>>>>replicated anywhere by anything other than slapi-nis itself. When
>>>>entries are changed by slapi-nis, they are regenerated from scratch.
>>>>
>>>>Your worries do not apply here.
>>>ok.
>>>I understand my mistake, I was thinking the compat entry had a
>>>associated real entry in ldap and this real entry had two uid
>>>values.
>>>
>>
>>So, could you provide ack thierry?
>>
>>Martin
>
>Sure but I would have to test first :-)
>
>Alexander, how can I test this ?
slapi-nis 0.56.1-1 packages are available in koji for f24-f26:
http://koji.fedoraproject.org/koji/packageinfo?packageID=6609
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list