[Freeipa-users] Katello IPA auth and Cross realm trust.
Sumit Bose
sbose at redhat.com
Wed Feb 22 12:57:58 UTC 2017
On Wed, Feb 22, 2017 at 12:03:58PM +0000, wouter.hummelink at kpn.com wrote:
> Hello all,
>
> I'm trying to get IPA auth on Katello to work properly, however the infopipe is unable to access the right information without additional configuration.
> With these changes I got the infopipe to work, but then user logins started to fail due to invalid user errors.
>
> I've added the following to the domain/xxx section on the katello server
>
> [domain/XXX]
> ldap_user_extra_attrs=email:mail, lastname:sn, firstname:givenname
Current version of SSSD already read the email attribute from the server
(check ldap_user_email in man sssd-ldap). So you can either remove email
from your ldap_user_extra_attrs or set 'ldap_user_email = noSuchAttr' to
avoid the collision.
HTH
bye,
Sumit
>
> [ifp]
>
> allowed_uids=apache, root
> user_attributes=+email, +firstname, +lastname
>
>
> And on the ipa server:
> [nss]
> user_attributes=+mail, +sn, +givenname
>
> [domain/XXX]
> ldap_user_extra_attrs=mail, sn, givenname
>
> However, the suggested change on the IPA server (from the satellite installation guide) results in user lookup failures on client systems (not exclusive to the katello host)
>
> # id user at TRUSTED.DOMAIN<mailto:user at TRUSTED.DOMAIN>
> id: user at TRUSTED.DOMAIN: no such user
>
> SSSD logs do reveal a hint about whats going on:
> [filtered for brevity, modified for privacy]
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(krbPrincipalName=user at TRUSTED.DOMAIN)(mail=user at TRUSTED.DOMAIN)(krbPrincipalName=user\\@TRUSTED.DOMAIN at IPA.DOMAIN))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=linux,dc=infra,dc=local].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail]
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): Extra attribute [mail].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): Extra attribute [mail].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): Extra attribute [mail].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): Extra attribute [mail].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [is_email_from_domain] (0x4000): Email [sander.lambrechts at kpn.com] is not from domain [TRUSTED.DOMAIN].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [is_email_from_domain] (0x4000): Email [sander.lambrechts at kpn.com] is not from domain [TRUSTED.DOMAIN].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'mail': value #1 on 'name=user at TRUSTED.DOMAIN,cn=users,cn=TRUSTED.DOMAIN,cn=sysdb' provided more than once]
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'mail': value #1 on 'name=user at TRUSTED.DOMAIN,cn=users,cn=TRUSTED.DOMAIN,cn=sysdb' provided more than once]
>
> Am I running into a bug or have I misconfigured this somewhere?
>
> Met vriendelijke groet,
> Wouter Hummelink
> Technical Consultant - Enterprise Webhosting
> T: +31-6-12882447
> E: wouter.hummelink at kpn.com<mailto:wouter.hummelink at kpn.com>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list