[Freeipa-users] Katello IPA auth and Cross realm trust.

wouter.hummelink at kpn.com wouter.hummelink at kpn.com
Wed Feb 22 12:03:58 UTC 2017 

Hello all,

I'm trying to get IPA auth on Katello to work properly, however the infopipe is unable to access the right information without additional configuration.
With these changes I got the infopipe to work, but then user logins started to fail due to invalid user errors.

I've added the following to the domain/xxx section on the katello server

[domain/XXX]
ldap_user_extra_attrs=email:mail, lastname:sn, firstname:givenname

[ifp]

allowed_uids=apache, root
user_attributes=+email, +firstname, +lastname


And on the ipa server:
[nss]
user_attributes=+mail, +sn, +givenname

[domain/XXX]
ldap_user_extra_attrs=mail, sn, givenname

However, the suggested change on the IPA server (from the satellite installation guide) results in user lookup failures on client systems (not exclusive to the katello host)

# id user at TRUSTED.DOMAIN<mailto:user at TRUSTED.DOMAIN>
id: user at TRUSTED.DOMAIN: no such user

SSSD logs do reveal a hint about whats going on:
[filtered for brevity, modified for privacy]
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(krbPrincipalName=user at TRUSTED.DOMAIN)(mail=user at TRUSTED.DOMAIN)(krbPrincipalName=user\\@TRUSTED.DOMAIN at IPA.DOMAIN))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=linux,dc=infra,dc=local].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail]
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): Extra attribute [mail].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): Extra attribute [mail].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): Extra attribute [mail].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): Extra attribute [mail].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [is_email_from_domain] (0x4000): Email [sander.lambrechts at kpn.com] is not from domain [TRUSTED.DOMAIN].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [is_email_from_domain] (0x4000): Email [sander.lambrechts at kpn.com] is not from domain [TRUSTED.DOMAIN].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'mail': value #1 on 'name=user at TRUSTED.DOMAIN,cn=users,cn=TRUSTED.DOMAIN,cn=sysdb' provided more than once]
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'mail': value #1 on 'name=user at TRUSTED.DOMAIN,cn=users,cn=TRUSTED.DOMAIN,cn=sysdb' provided more than once]

Am I running into a bug or have I misconfigured this somewhere?

Met vriendelijke groet,
Wouter Hummelink
Technical Consultant - Enterprise Webhosting
T: +31-6-12882447
E: wouter.hummelink at kpn.com<mailto:wouter.hummelink at kpn.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170222/0980d872/attachment.htm>

More information about the Freeipa-users mailing list