On Wed, Feb 22, 2017 at 12:03:58PM +0000, [email protected] wrote: > Hello all, > > I'm trying to get IPA auth on Katello to work properly, however the infopipe > is unable to access the right information without additional configuration. > With these changes I got the infopipe to work, but then user logins started > to fail due to invalid user errors. > > I've added the following to the domain/xxx section on the katello server > > [domain/XXX] > ldap_user_extra_attrs=email:mail, lastname:sn, firstname:givenname
Current version of SSSD already read the email attribute from the server (check ldap_user_email in man sssd-ldap). So you can either remove email from your ldap_user_extra_attrs or set 'ldap_user_email = noSuchAttr' to avoid the collision. HTH bye, Sumit > > [ifp] > > allowed_uids=apache, root > user_attributes=+email, +firstname, +lastname > > > And on the ipa server: > [nss] > user_attributes=+mail, +sn, +givenname > > [domain/XXX] > ldap_user_extra_attrs=mail, sn, givenname > > However, the suggested change on the IPA server (from the satellite > installation guide) results in user lookup failures on client systems (not > exclusive to the katello host) > > # id [email protected]<mailto:[email protected]> > id: [email protected]: no such user > > SSSD logs do reveal a hint about whats going on: > [filtered for brevity, modified for privacy] > (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sdap_get_generic_ext_step] > (0x0400): calling ldap_search_ext with > [(&(|([email protected])([email protected])(krbPrincipalName=user\\@[email protected]))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=linux,dc=infra,dc=local]. > (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [mail] > (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): > Extra attribute [mail]. > (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): > Extra attribute [mail]. > (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): > Extra attribute [mail]. > (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [get_extra_attrs] (0x4000): > Extra attribute [mail]. > (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [is_email_from_domain] > (0x4000): Email [[email protected]] is not from domain > [TRUSTED.DOMAIN]. > (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] [is_email_from_domain] > (0x4000): Email [[email protected]] is not from domain > [TRUSTED.DOMAIN]. > (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] > [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [Attribute or value > exists](20)[attribute 'mail': value #1 on > '[email protected],cn=users,cn=TRUSTED.DOMAIN,cn=sysdb' provided more > than once] > (Wed Feb 22 11:51:20 2017) [sssd[be[IPA.DOMAIN]]] > [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [Attribute or value > exists](20)[attribute 'mail': value #1 on > '[email protected],cn=users,cn=TRUSTED.DOMAIN,cn=sysdb' provided more > than once] > > Am I running into a bug or have I misconfigured this somewhere? > > Met vriendelijke groet, > Wouter Hummelink > Technical Consultant - Enterprise Webhosting > T: +31-6-12882447 > E: [email protected]<mailto:[email protected]> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
