[Freeipa-users] FreeIPA mail object to use in 3rd party tool

[Alexander Bokovoy]

On Thu, 18 Jun 2015, Markus.Moj at mc.ingenico.com wrote:
>Hi @all,
>
>
>
>I am new to freeIPA operating and are facing an issue with mail object
>in freeIPA. We are running Jira from Atlassian and are trying to
>authenticate against freeIPA. The authentication process is running but
>mail object is not provided by freeIPA to Jira to inform users about
>new events / trackers or whatsoever. If a test object is displayed with
>ldapsearch mail attribute is available and set but is not useable by
>Jira.
>
>How is it possibilt to inherit mail accounts in Jira to be able to
>authenticate and use FreeIPA as IDM for Jira as well as for Liunx
>systems.
This sounds like you are using $SUFFIX (e.g. dc=example,dc=com) as your basedn when
configuring Jira. If that's the case, then Jira gets results from both
cn=accounts,$SUFFIX and cn=compat,$SUFFIX if compat tree is
enabled. In the compat tree you have RFC2307 schema which doesn't
include mail attribute and slapi-nis always answers first over LDAP
queries that apply to cn=compat,$SUFFIX so you are ending up with two
LDAP entries returned for each individual IPA users, one from the compat
tree without mail attribute, another one is the original entry from
cn=users,cn=accounts,$SUFFIX.

Jira most likely expects a single entry response and if gets more, only
evaluates the first entry -- the one that is returned by the compat tree
and which doesn't have mail attribute.

You can solve this issue by bounding your query to cn=accounts,$SUFFIX
to only return primary IPA user/group entries.

-- 
/ Alexander Bokovoy