When SSSD resolves AD users on behalf of slapi-nis, it can accept any
user identifier, including user principal name (UPN) which may be
different than the canonical user name which SSSD returns.

As result, the entry created by slapi-nis will be using canonical user
name but the filter for search will refer to the original (aliased)
name. The search will not match the newly created entry.

The issue is fixed  in slapi-nis-0.56.1 by returning two values for
'uid' attribute: the canonical one and the aliased one. This way the
search will match.

Standard LDAP schema allows multiple values for 'uid' attribute. We
actually use the same trick for 'cn' attribute in the groups map
already.

https://fedorahosted.org/freeipa/ticket/6138


--
/ Alexander Bokovoy
From 359328c45465c25a2c34629511bf30097b0b8b0a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Thu, 4 Aug 2016 09:58:50 +0300
Subject: support multiple uid values in schema compatibility tree

When SSSD resolves AD users on behalf of slapi-nis, it can accept any user
identifier, including user principal name (UPN) which may be different than the
canonical user name which SSSD returns.

As result, the entry created by slapi-nis will be using canonical user name but
the filter for search will refer to the original (aliased) name. The search
will not match the newly created entry.

The issue is fixed  in slapi-nis-0.56.1 by returning two values for 'uid'
attribute: the canonical one and the aliased one. This way the search will
match.

Standard LDAP schema allows multiple values for 'uid' attribute.

https://fedorahosted.org/freeipa/ticket/6138

---
 install/updates/10-schema_compat.update | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/install/updates/10-schema_compat.update 
b/install/updates/10-schema_compat.update
index e4c257d..fbe8703 100644
--- a/install/updates/10-schema_compat.update
+++ b/install/updates/10-schema_compat.update
@@ -87,3 +87,7 @@ add:schema-compat-entry-attribute: 
%ifeq("ipauniqueid","%{ipauniqueid}","objectc
 add:schema-compat-entry-attribute: 
%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:$DOMAIN:%{ipauniqueid}","")
 add:schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid}
 add:schema-compat-entry-attribute: 
%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")
+
+dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
+add:schema-compat-entry-attribute: uid=%{uid}
+replace:schema-compat-entry-rdn: uid=%{uid}::uid=%first("%{uid}")
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to