Shane Frasier via FreeIPA-users wrote: > If I manually escape the parentheses surrounding "affiliate" as seen below, > then the ldapsearch command finds the user: > > ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov" > "(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland > Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. > Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M > MUSTERMANN \(affiliate\),UID=0123456789.DHS > HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))" > > The problem is that FreeIPA is performing this query when it searches (the > parentheses are not escaped): > > ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov" > "(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland > Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S. > Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M > MUSTERMANN (affiliate),UID=0123456789.DHS > HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))" > > I don't know how to get FreeIPA to inject those escapes, and I have no > control over the content of the certificates on the users' PIVs (smartcards). > The smartcards are given to us by the DHS mothership :( > > I hope this makes our issue a little clearer.
SSSD is what is making that query. They sometimes read this list but you may want to bring it up on their list as well to be sure they see it. Or ideally open a bug. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
