I seem to get two entries every time I create new user. This is causing the webserver authentication to fail with the message about "User is not unique":
[Tue Jan 11 20:42:16.645046 2022] [authnz_ldap:debug] [pid 21005] mod_authnz_ldap.c(505): [client 10.14.0.18:59704] AH01691: auth_ldap authenticate: using URL ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com?uid?sub [Tue Jan 11 20:42:16.810661 2022] [authnz_ldap:info] [pid 21005] [client 10.14.0.18:59704] AH01695: auth_ldap authenticate: user testuser authentication failed; URI / [User is not unique (search found two or more matches)][No such object] [Tue Jan 11 20:42:16.810715 2022] [auth_basic:error] [pid 21005] [client 10.14.0.18:59704] AH01618: user testuser not found: / # ipa user-add testuser First name: test Last name: user --------------------- Added user "testuser" --------------------- User login: testuser First name: test Last name: user Full name: test user Display name: test user Initials: tu Home directory: /home/testuser GECOS: test user Login shell: /bin/sh Principal name: [email protected] Principal alias: [email protected] Email address: [email protected] UID: 1293000017 GID: 1293000017 Password: False Member of groups: ipausers Kerberos keys available: False [root@ipa1 scripts]# ldapsearch '(uid=testuser)' SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=ipa,dc=bluepearlsoftware,dc=com> (default) with scope subtree # filter: (uid=testuser) # requesting: ALL # # testuser, users, compat, ipa.bluepearlsoftware.com dn: uid=testuser,cn=users,cn=compat,dc=ipa,dc=bluepearlsoftware,dc=com objectClass: posixAccount objectClass: ipaOverrideTarget objectClass: ipaOverrideTarget objectClass: top gecos: test user cn: test user uidNumber: 1293000017 gidNumber: 1293000017 loginShell: /bin/sh homeDirectory: /home/testuser ipaAnchorUUID:: OklQQTppcGEuYmx1ZXBlYXJsc29mdHdhcmUuY29tOjBlYmM2ZGJlLTczNDgtMT FlYy1iNWQ5LTUyNTQwMGI1NzZmYg== uid: testuser # testuser, users, accounts, ipa.bluepearlsoftware.com dn: uid=testuser,cn=users,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com displayName: test user uid: testuser krbCanonicalName: [email protected] objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh initials: tu gecos: test user sn: user homeDirectory: /home/testuser mail: [email protected] krbPrincipalName: [email protected] givenName: test cn: test user ipaUniqueID: 0ebc6dbe-7348-11ec-b5d9-525400b576fb uidNumber: 1293000017 gidNumber: 1293000017 mepManagedEntry: cn=testuser,cn=groups,cn=accounts,dc=ipa,dc=bluepearlsoftware ,dc=com memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2 Relevant part of Apache config file: LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule ldap_module modules/mod_ldap.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule authn_core_module modules/mod_authn_core.so Loglevel authnz_ldap_module:debug LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/certs/ca.crt <Location /> AuthType Basic AuthName "Blue Pearl" AuthBasicProvider ldap AuthLDAPURL ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com?uid?sub # AuthLDAPURL ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com AuthLDAPBindDN uid=httpbind,cn=sysaccounts,cn=etc,dc=ipa,dc=bluepearlsoftware,dc=com AuthLDAPBindPassword <password for httpbind> Require ldap-group ipausers # Require ldap-group AuthLDAPGroupAttributeIsDN off </Location> _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
