Simon Matthews via FreeIPA-users wrote: > I seem to get two entries every time I create new user. This is causing the > webserver authentication to fail with the message about "User is not unique": > > [Tue Jan 11 20:42:16.645046 2022] [authnz_ldap:debug] [pid 21005] > mod_authnz_ldap.c(505): [client 10.14.0.18:59704] AH01691: auth_ldap > authenticate: using URL > ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com?uid?sub > [Tue Jan 11 20:42:16.810661 2022] [authnz_ldap:info] [pid 21005] [client > 10.14.0.18:59704] AH01695: auth_ldap authenticate: user testuser > authentication failed; URI / [User is not unique (search found two or more > matches)][No such object] > [Tue Jan 11 20:42:16.810715 2022] [auth_basic:error] [pid 21005] [client > 10.14.0.18:59704] AH01618: user testuser not found: / > > # ipa user-add testuser > First name: test > Last name: user > --------------------- > Added user "testuser" > --------------------- > User login: testuser > First name: test > Last name: user > Full name: test user > Display name: test user > Initials: tu > Home directory: /home/testuser > GECOS: test user > Login shell: /bin/sh > Principal name: [email protected] > Principal alias: [email protected] > Email address: [email protected] > UID: 1293000017 > GID: 1293000017 > Password: False > Member of groups: ipausers > Kerberos keys available: False > > > [root@ipa1 scripts]# ldapsearch '(uid=testuser)' > SASL/GSSAPI authentication started > SASL username: [email protected] > SASL SSF: 256 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base <dc=ipa,dc=bluepearlsoftware,dc=com> (default) with scope subtree > # filter: (uid=testuser) > # requesting: ALL > # > > # testuser, users, compat, ipa.bluepearlsoftware.com > dn: uid=testuser,cn=users,cn=compat,dc=ipa,dc=bluepearlsoftware,dc=com > objectClass: posixAccount > objectClass: ipaOverrideTarget > objectClass: ipaOverrideTarget > objectClass: top > gecos: test user > cn: test user > uidNumber: 1293000017 > gidNumber: 1293000017 > loginShell: /bin/sh > homeDirectory: /home/testuser > ipaAnchorUUID:: OklQQTppcGEuYmx1ZXBlYXJsc29mdHdhcmUuY29tOjBlYmM2ZGJlLTczNDgtMT > FlYy1iNWQ5LTUyNTQwMGI1NzZmYg== > uid: testuser > > # testuser, users, accounts, ipa.bluepearlsoftware.com > dn: uid=testuser,cn=users,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com > displayName: test user > uid: testuser > krbCanonicalName: [email protected] > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetorgperson > objectClass: inetuser > objectClass: posixaccount > objectClass: krbprincipalaux > objectClass: krbticketpolicyaux > objectClass: ipaobject > objectClass: ipasshuser > objectClass: ipaSshGroupOfPubKeys > objectClass: mepOriginEntry > loginShell: /bin/sh > initials: tu > gecos: test user > sn: user > homeDirectory: /home/testuser > mail: [email protected] > krbPrincipalName: [email protected] > givenName: test > cn: test user > ipaUniqueID: 0ebc6dbe-7348-11ec-b5d9-525400b576fb > uidNumber: 1293000017 > gidNumber: 1293000017 > mepManagedEntry: cn=testuser,cn=groups,cn=accounts,dc=ipa,dc=bluepearlsoftware > ,dc=com > memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com > > # search result > search: 4 > result: 0 Success > > # numResponses: 3 > # numEntries: 2 > > Relevant part of Apache config file: > LoadModule authnz_ldap_module modules/mod_authnz_ldap.so > LoadModule ldap_module modules/mod_ldap.so > LoadModule authz_core_module modules/mod_authz_core.so > LoadModule authn_core_module modules/mod_authn_core.so > Loglevel authnz_ldap_module:debug > LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/certs/ca.crt > <Location /> > AuthType Basic > AuthName "Blue Pearl" > AuthBasicProvider ldap > AuthLDAPURL > ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com?uid?sub
Your URL needs to be more specific to find users, like cn=users,cn=accounts,dc=... Or alternatively you could add an objectclass filter, but searching the entire tree for users is more work than necessary. IPA maintains a separate, synthesized tree, for compatibility with RFC2307. This is the cn=compat entry you are seeing. I'll also note that all users are in the group ipausers. IIRC it also has to be a dn but I could be wrong on that. rob > # AuthLDAPURL > ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com > AuthLDAPBindDN > uid=httpbind,cn=sysaccounts,cn=etc,dc=ipa,dc=bluepearlsoftware,dc=com > AuthLDAPBindPassword <password for httpbind> > > Require ldap-group ipausers > # Require ldap-group > AuthLDAPGroupAttributeIsDN off > </Location> > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
