[Freeipa-devel] [PATCH 0213] support multiple uid values in slapi-nis users map
thierry bordaz
tbordaz at redhat.com
Wed Aug 10 06:46:49 UTC 2016
On 08/09/2016 01:38 PM, Alexander Bokovoy wrote:
> On Tue, 09 Aug 2016, thierry bordaz wrote:
>>
>>
>> On 08/09/2016 12:49 PM, Martin Basti wrote:
>>>
>>>
>>> On 08.08.2016 17:30, thierry bordaz wrote:
>>>>
>>>>
>>>> On 08/08/2016 05:20 PM, Alexander Bokovoy wrote:
>>>>> On Mon, 08 Aug 2016, thierry bordaz wrote:
>>>>>>
>>>>>>
>>>>>> On 08/08/2016 04:20 PM, Alexander Bokovoy wrote:
>>>>>>> On Mon, 08 Aug 2016, thierry bordaz wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> On 08/08/2016 10:56 AM, Alexander Bokovoy wrote:
>>>>>>>>> On Mon, 08 Aug 2016, Lukas Slebodnik wrote:
>>>>>>>>>> On (08/08/16 11:35), Alexander Bokovoy wrote:
>>>>>>>>>>> On Mon, 08 Aug 2016, Martin Basti wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 08.08.2016 09:34, Alexander Bokovoy wrote:
>>>>>>>>>>>>> When SSSD resolves AD users on behalf of slapi-nis, it can
>>>>>>>>>>>> accept any
>>>>>>>>>>>>> user identifier, including user principal name (UPN) which
>>>>>>>>>>>>> may be
>>>>>>>>>>>>> different than the canonical user name which SSSD returns.
>>>>>>>>>>>>>
>>>>>>>>>>>>> As result, the entry created by slapi-nis will be using
>>>>>>>>>>>> canonical user
>>>>>>>>>>>>> name but the filter for search will refer to the original
>>>>>>>>>>>>> (aliased)
>>>>>>>>>>>>> name. The search will not match the newly created entry.
>>>>>>>>>>>>>
>>>>>>>>>>>>> The issue is fixed in slapi-nis-0.56.1 by returning two
>>>>>>>>>>>>> values for
>>>>>>>>>>>>> 'uid' attribute: the canonical one and the aliased one.
>>>>>>>>>>>>> This way the
>>>>>>>>>>>>> search will match.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Standard LDAP schema allows multiple values for 'uid'
>>>>>>>>>>>>> attribute. We
>>>>>>>>>>>>> actually use the same trick for 'cn' attribute in the
>>>>>>>>>>>>> groups map
>>>>>>>>>>>>> already.
>>>>>>>>>>>>>
>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/6138
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> Hello,
>>>>>>>>>>>>
>>>>>>>>>>>> should we bump requires to slapi-nis-0.56.1 in freeipa.spec?
>>>>>>>>>>> No, this is not required. In Fedora we'll submit a combined
>>>>>>>>>>> update --
>>>>>>>>>>> I've built slapi-nis-0.56.1-1 packages for f24, f25, and
>>>>>>>>>>> rawhide already
>>>>>>>>>>> but did not submit a Bodhi request.
>>>>>>>>>>>
>>>>>>>>>> How is combined updated related to requires to slapi-nis-0.56.1?
>>>>>>>>>> It will not prevent tu update freeipa without new slapi-nis.
>>>>>>>>>>
>>>>>>>>>> e.g.
>>>>>>>>>> dnf update freeipa-server.
>>>>>>>>> An update file in FreeIPA that is proposed by this patch does
>>>>>>>>> not affect
>>>>>>>>> operation of the older slapi-nis deployment once update is
>>>>>>>>> applied.
>>>>>>>>>
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Is '%first' returning the first value of the attribute 'uid' ?
>>>>>>>> If there are several values (canonical, alias,... ), does the
>>>>>>>> order matters ?
>>>>>>> We insert the canonical one first and it seems that 389-ds does not
>>>>>>> change the order, at least in my tests. You can see the output
>>>>>>> in the
>>>>>>> bug https://bugzilla.redhat.com/show_bug.cgi?id=1361123#c2
>>>>>>
>>>>>> From ldap pov (https://tools.ietf.org/html/rfc4511#section-4.1.7)
>>>>>> the order of the values is not preserved.
>>>>>> I think it is a bit risky to rely on a specific order especially
>>>>>> with complex updates (adding several values in a single mod,
>>>>>> replace) and replication.
>>>>>> would it help to add canonical value with a subtype (e.g.
>>>>>> 'uid;canonical: <value>') ?
>>>>> Not sure how what you are mention is relevant here. We talk about
>>>>> slapi-nis map cache entries which are not modified, replaced or
>>>>> replicated anywhere by anything other than slapi-nis itself. When
>>>>> entries are changed by slapi-nis, they are regenerated from scratch.
>>>>>
>>>>> Your worries do not apply here.
>>>> ok.
>>>> I understand my mistake, I was thinking the compat entry had a
>>>> associated real entry in ldap and this real entry had two uid values.
>>>>
>>>
>>> So, could you provide ack thierry?
>>>
>>> Martin
>>
>> Sure but I would have to test first :-)
>>
>> Alexander, how can I test this ?
> slapi-nis 0.56.1-1 packages are available in koji for f24-f26:
> http://koji.fedoraproject.org/koji/packageinfo?packageID=6609
Thanks Alexander. So to test this change is there an other way (simpler)
than setting up AD/trust ?
More information about the Freeipa-devel
mailing list