On Thu, 18 Jun 2015, markus....@mc.ingenico.com wrote:
Hi @all,
I am new to freeIPA operating and are facing an issue with mail object
in freeIPA. We are running Jira from Atlassian and are trying to
authenticate against freeIPA. The authentication process is running but
mail object is not provided by freeIPA to Jira to inform users about
new events / trackers or whatsoever. If a test object is displayed with
ldapsearch mail attribute is available and set but is not useable by
Jira.
How is it possibilt to inherit mail accounts in Jira to be able to
authenticate and use FreeIPA as IDM for Jira as well as for Liunx
systems.
This sounds like you are using $SUFFIX (e.g. dc=example,dc=com) as your basedn
when
configuring Jira. If that's the case, then Jira gets results from both
cn=accounts,$SUFFIX and cn=compat,$SUFFIX if compat tree is
enabled. In the compat tree you have RFC2307 schema which doesn't
include mail attribute and slapi-nis always answers first over LDAP
queries that apply to cn=compat,$SUFFIX so you are ending up with two
LDAP entries returned for each individual IPA users, one from the compat
tree without mail attribute, another one is the original entry from
cn=users,cn=accounts,$SUFFIX.
Jira most likely expects a single entry response and if gets more, only
evaluates the first entry -- the one that is returned by the compat tree
and which doesn't have mail attribute.
You can solve this issue by bounding your query to cn=accounts,$SUFFIX
to only return primary IPA user/group entries.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
