On Wed, Feb 22, 2017 at 12:03:58PM +0000, wouter.hummel...@kpn.com wrote:
> Hello all,
> 
> I'm trying to get IPA auth on Katello to work properly, however the infopipe 
> is unable to access the right information without additional configuration.
> With these changes I got the infopipe to work, but then user logins started 
> to fail due to invalid user errors.
> 
> I've added the following to the domain/xxx section on the katello server
> 
> [domain/XXX]
> ldap_user_extra_attrs=email:mail, lastname:sn, firstname:givenname

Current version of SSSD already read the email attribute from the server
(check ldap_user_email in man sssd-ldap). So you can either remove email
from your ldap_user_extra_attrs or set 'ldap_user_email = noSuchAttr' to
avoid the collision.

HTH

bye,
Sumit

> 
> [ifp]
> 
> allowed_uids=apache, root
> user_attributes=+email, +firstname, +lastname
> 
> 
> And on the ipa server:
> [nss]
> user_attributes=+mail, +sn, +givenname
> 
> [domain/XXX]
> ldap_user_extra_attrs=mail, sn, givenname
> 
> However, the suggested change on the IPA server (from the satellite 
> installation guide) results in user lookup failures on client systems (not 
> exclusive to the katello host)
> 
> # id user@TRUSTED.DOMAIN<mailto:user@TRUSTED.DOMAIN>
> id: user@TRUSTED.DOMAIN: no such user
> 
> SSSD logs do reveal a hint about whats going on:
> [filtered for brevity, modified for privacy]
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sdap_get_generic_ext_step] 
> (0x0400): calling ldap_search_ext with 
> [(&(|(krbPrincipalName=user@TRUSTED.DOMAIN)(mail=user@TRUSTED.DOMAIN)(krbPrincipalName=user\\@TRUSTED.DOMAIN@IPA.DOMAIN))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=linux,dc=infra,dc=local].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sdap_get_generic_ext_step] 
> (0x1000): Requesting attrs: [mail]
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): 
> Extra attribute [mail].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): 
> Extra attribute [mail].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): 
> Extra attribute [mail].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): 
> Extra attribute [mail].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [is_email_from_domain] 
> (0x4000): Email [sander.lambrec...@kpn.com] is not from domain 
> [TRUSTED.DOMAIN].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [is_email_from_domain] 
> (0x4000): Email [sander.lambrec...@kpn.com] is not from domain 
> [TRUSTED.DOMAIN].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] 
> [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [Attribute or value 
> exists](20)[attribute 'mail': value #1 on 
> 'name=user@TRUSTED.DOMAIN,cn=users,cn=TRUSTED.DOMAIN,cn=sysdb' provided more 
> than once]
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] 
> [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [Attribute or value 
> exists](20)[attribute 'mail': value #1 on 
> 'name=user@TRUSTED.DOMAIN,cn=users,cn=TRUSTED.DOMAIN,cn=sysdb' provided more 
> than once]
> 
> Am I running into a bug or have I misconfigured this somewhere?
> 
> Met vriendelijke groet,
> Wouter Hummelink
> Technical Consultant - Enterprise Webhosting
> T: +31-6-12882447
> E: wouter.hummel...@kpn.com<mailto:wouter.hummel...@kpn.com>
> 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to