Shane Frasier via FreeIPA-users wrote:
If I manually escape the parentheses surrounding
"affiliate" as seen below, then the ldapsearch command finds the user:
ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov"
"(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN
\(affiliate\),UID=0123456789.DHS
HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
The problem is that FreeIPA is performing this query when it searches (the parentheses
are not escaped):
ldapsearch -b "cn=accounts,dc=staging,dc=cool,dc=cyber,dc=dhs,dc=gov"
"(&(ipaCertMapData=X509:<I>C=US,O=U.S. Government,OU=Department of Homeland
Security,OU=Certification Authorities,OU=DHS CA4<S>C=US,O=U.S.
Government,OU=Department of Homeland Security,OU=DHS HQ,OU=People,CN=MAX M MUSTERMANN
(affiliate),UID=0123456789.DHS
HQ)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
I don't know how to get FreeIPA to inject those escapes, and I have no control over
the content of the certificates on the users' PIVs (smartcards). The smartcards are
given to us by the DHS mothership :(
I hope this makes our issue a little clearer.
SSSD is what is making that query. They sometimes read this list but you
may want to bring it up on their list as well to be sure they see it. Or
ideally open a bug.
rob