Re: [Freeipa-users] Katello IPA auth and Cross realm trust.

2017-02-22 Thread Sumit Bose 
On Wed, Feb 22, 2017 at 12:03:58PM +, wouter.hummel...@kpn.com wrote:
> Hello all,
> 
> I'm trying to get IPA auth on Katello to work properly, however the infopipe 
> is unable to access the right information without additional configuration.
> With these changes I got the infopipe to work, but then user logins started 
> to fail due to invalid user errors.
> 
> I've added the following to the domain/xxx section on the katello server
> 
> [domain/XXX]
> ldap_user_extra_attrs=email:mail, lastname:sn, firstname:givenname

Current version of SSSD already read the email attribute from the server
(check ldap_user_email in man sssd-ldap). So you can either remove email
from your ldap_user_extra_attrs or set 'ldap_user_email = noSuchAttr' to
avoid the collision.

HTH

bye,
Sumit

> 
> [ifp]
> 
> allowed_uids=apache, root
> user_attributes=+email, +firstname, +lastname
> 
> 
> And on the ipa server:
> [nss]
> user_attributes=+mail, +sn, +givenname
> 
> [domain/XXX]
> ldap_user_extra_attrs=mail, sn, givenname
> 
> However, the suggested change on the IPA server (from the satellite 
> installation guide) results in user lookup failures on client systems (not 
> exclusive to the katello host)
> 
> # id user@TRUSTED.DOMAIN
> id: user@TRUSTED.DOMAIN: no such user
> 
> SSSD logs do reveal a hint about whats going on:
> [filtered for brevity, modified for privacy]
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sdap_get_generic_ext_step] 
> (0x0400): calling ldap_search_ext with 
> [(&(|(krbPrincipalName=user@TRUSTED.DOMAIN)(mail=user@TRUSTED.DOMAIN)(krbPrincipalName=user\\@TRUSTED.DOMAIN@IPA.DOMAIN))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0][cn=accounts,dc=linux,dc=infra,dc=local].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sdap_get_generic_ext_step] 
> (0x1000): Requesting attrs: [mail]
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): 
> Extra attribute [mail].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): 
> Extra attribute [mail].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): 
> Extra attribute [mail].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): 
> Extra attribute [mail].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [is_email_from_domain] 
> (0x4000): Email [sander.lambrec...@kpn.com] is not from domain 
> [TRUSTED.DOMAIN].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [is_email_from_domain] 
> (0x4000): Email [sander.lambrec...@kpn.com] is not from domain 
> [TRUSTED.DOMAIN].
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] 
> [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [Attribute or value 
> exists](20)[attribute 'mail': value #1 on 
> 'name=user@TRUSTED.DOMAIN,cn=users,cn=TRUSTED.DOMAIN,cn=sysdb' provided more 
> than once]
> (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] 
> [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [Attribute or value 
> exists](20)[attribute 'mail': value #1 on 
> 'name=user@TRUSTED.DOMAIN,cn=users,cn=TRUSTED.DOMAIN,cn=sysdb' provided more 
> than once]
> 
> Am I running into a bug or have I misconfigured this somewhere?
> 
> Met vriendelijke groet,
> Wouter Hummelink
> Technical Consultant - Enterprise Webhosting
> T: +31-6-12882447
> E: wouter.hummel...@kpn.com
> 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Katello IPA auth and Cross realm trust.

2017-02-22 Thread wouter.hummelink 
Hello all,

I'm trying to get IPA auth on Katello to work properly, however the infopipe is 
unable to access the right information without additional configuration.
With these changes I got the infopipe to work, but then user logins started to 
fail due to invalid user errors.

I've added the following to the domain/xxx section on the katello server

[domain/XXX]
ldap_user_extra_attrs=email:mail, lastname:sn, firstname:givenname

[ifp]

allowed_uids=apache, root
user_attributes=+email, +firstname, +lastname


And on the ipa server:
[nss]
user_attributes=+mail, +sn, +givenname

[domain/XXX]
ldap_user_extra_attrs=mail, sn, givenname

However, the suggested change on the IPA server (from the satellite 
installation guide) results in user lookup failures on client systems (not 
exclusive to the katello host)

# id user@TRUSTED.DOMAIN
id: user@TRUSTED.DOMAIN: no such user

SSSD logs do reveal a hint about whats going on:
[filtered for brevity, modified for privacy]
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sdap_get_generic_ext_step] 
(0x0400): calling ldap_search_ext with 
[(&(|(krbPrincipalName=user@TRUSTED.DOMAIN)(mail=user@TRUSTED.DOMAIN)(krbPrincipalName=user\\@TRUSTED.DOMAIN@IPA.DOMAIN))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0][cn=accounts,dc=linux,dc=infra,dc=local].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sdap_get_generic_ext_step] 
(0x1000): Requesting attrs: [mail]
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): 
Extra attribute [mail].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): 
Extra attribute [mail].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): 
Extra attribute [mail].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): 
Extra attribute [mail].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [is_email_from_domain] 
(0x4000): Email [sander.lambrec...@kpn.com] is not from domain [TRUSTED.DOMAIN].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [is_email_from_domain] 
(0x4000): Email [sander.lambrec...@kpn.com] is not from domain [TRUSTED.DOMAIN].
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sysdb_set_cache_entry_attr] 
(0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'mail': 
value #1 on 'name=user@TRUSTED.DOMAIN,cn=users,cn=TRUSTED.DOMAIN,cn=sysdb' 
provided more than once]
(Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sysdb_set_cache_entry_attr] 
(0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'mail': 
value #1 on 'name=user@TRUSTED.DOMAIN,cn=users,cn=TRUSTED.DOMAIN,cn=sysdb' 
provided more than once]

Am I running into a bug or have I misconfigured this somewhere?

Met vriendelijke groet,
Wouter Hummelink
Technical Consultant - Enterprise Webhosting
T: +31-6-12882447
E: wouter.hummel...@kpn.com

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project