On Mon, 08 Aug 2016, thierry bordaz wrote:
On 08/08/2016 10:56 AM, Alexander Bokovoy wrote:
On Mon, 08 Aug 2016, Lukas Slebodnik wrote:
On (08/08/16 11:35), Alexander Bokovoy wrote:
On Mon, 08 Aug 2016, Martin Basti wrote:
On 08.08.2016 09:34, Alexander Bokovoy wrote:
When SSSD resolves AD users on behalf of slapi-nis, it can
user identifier, including user principal name (UPN) which may be
different than the canonical user name which SSSD returns.
As result, the entry created by slapi-nis will be using
name but the filter for search will refer to the original (aliased)
name. The search will not match the newly created entry.
The issue is fixed in slapi-nis-0.56.1 by returning two values for
'uid' attribute: the canonical one and the aliased one. This way the
search will match.
Standard LDAP schema allows multiple values for 'uid' attribute. We
actually use the same trick for 'cn' attribute in the groups map
should we bump requires to slapi-nis-0.56.1 in freeipa.spec?
No, this is not required. In Fedora we'll submit a combined update --
I've built slapi-nis-0.56.1-1 packages for f24, f25, and rawhide
but did not submit a Bodhi request.
How is combined updated related to requires to slapi-nis-0.56.1?
It will not prevent tu update freeipa without new slapi-nis.
dnf update freeipa-server.
An update file in FreeIPA that is proposed by this patch does not affect
operation of the older slapi-nis deployment once update is applied.
Is '%first' returning the first value of the attribute 'uid' ?
If there are several values (canonical, alias,... ), does the order
We insert the canonical one first and it seems that 389-ds does not
change the order, at least in my tests. You can see the output in the
/ Alexander Bokovoy
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code