7:47 p.m.
I seem to get two entries every time I create new user. This is causing the webserver
authentication to fail with the message about "User is not unique":
[Tue Jan 11 20:42:16.645046 2022] [authnz_ldap:debug] [pid 21005] mod_authnz_ldap.c(505):
[client 10.14.0.18:59704] AH01691: auth_ldap authenticate: using URL
ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com?uid?sub
[Tue Jan 11 20:42:16.810661 2022] [authnz_ldap:info] [pid 21005] [client 10.14.0.18:59704]
AH01695: auth_ldap authenticate: user testuser authentication failed; URI / [User is not
unique (search found two or more matches)][No such object]
[Tue Jan 11 20:42:16.810715 2022] [auth_basic:error] [pid 21005] [client 10.14.0.18:59704]
AH01618: user testuser not found: /
# ipa user-add testuser
First name: test
Last name: user
---------------------
Added user "testuser"
---------------------
User login: testuser
First name: test
Last name: user
Full name: test user
Display name: test user
Initials: tu
Home directory: /home/testuser
GECOS: test user
Login shell: /bin/sh
Principal name: testuser(a)IPA.BLUEPEARLSOFTWARE.COM
Principal alias: testuser(a)IPA.BLUEPEARLSOFTWARE.COM
Email address: testuser(a)ipa.bluepearlsoftware.com
UID: 1293000017
GID: 1293000017
Password: False
Member of groups: ipausers
Kerberos keys available: False
[root@ipa1 scripts]# ldapsearch '(uid=testuser)'
SASL/GSSAPI authentication started
SASL username: admin(a)IPA.BLUEPEARLSOFTWARE.COM
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=ipa,dc=bluepearlsoftware,dc=com> (default) with scope subtree
# filter: (uid=testuser)
# requesting: ALL
#
# testuser, users, compat, ipa.bluepearlsoftware.com
dn: uid=testuser,cn=users,cn=compat,dc=ipa,dc=bluepearlsoftware,dc=com
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: ipaOverrideTarget
objectClass: top
gecos: test user
cn: test user
uidNumber: 1293000017
gidNumber: 1293000017
loginShell: /bin/sh
homeDirectory: /home/testuser
ipaAnchorUUID:: OklQQTppcGEuYmx1ZXBlYXJsc29mdHdhcmUuY29tOjBlYmM2ZGJlLTczNDgtMT
FlYy1iNWQ5LTUyNTQwMGI1NzZmYg==
uid: testuser
# testuser, users, accounts, ipa.bluepearlsoftware.com
dn: uid=testuser,cn=users,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com
displayName: test user
uid: testuser
krbCanonicalName: testuser(a)IPA.BLUEPEARLSOFTWARE.COM
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: tu
gecos: test user
sn: user
homeDirectory: /home/testuser
mail: testuser(a)ipa.bluepearlsoftware.com
krbPrincipalName: testuser(a)IPA.BLUEPEARLSOFTWARE.COM
givenName: test
cn: test user
ipaUniqueID: 0ebc6dbe-7348-11ec-b5d9-525400b576fb
uidNumber: 1293000017
gidNumber: 1293000017
mepManagedEntry: cn=testuser,cn=groups,cn=accounts,dc=ipa,dc=bluepearlsoftware
,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com
# search result
search: 4
result: 0 Success
# numResponses: 3
# numEntries: 2
Relevant part of Apache config file:
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authn_core_module modules/mod_authn_core.so
Loglevel authnz_ldap_module:debug
LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/certs/ca.crt
<Location />
AuthType Basic
AuthName "Blue Pearl"
AuthBasicProvider ldap
AuthLDAPURL ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com?uid?sub
# AuthLDAPURL ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com
AuthLDAPBindDN
uid=httpbind,cn=sysaccounts,cn=etc,dc=ipa,dc=bluepearlsoftware,dc=com
AuthLDAPBindPassword <password for httpbind>
Require ldap-group ipausers
# Require ldap-group
AuthLDAPGroupAttributeIsDN off
</Location>
9:11 p.m.
New subject: Setting up authentication for apache webserver (part 2) -- User is not unique
Simon Matthews via FreeIPA-users wrote:
I seem to get two entries every time I create new user. This is
causing the webserver authentication to fail with the message about "User is not
unique":
[Tue Jan 11 20:42:16.645046 2022] [authnz_ldap:debug] [pid 21005] mod_authnz_ldap.c(505):
[client 10.14.0.18:59704] AH01691: auth_ldap authenticate: using URL
ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com?uid?sub
[Tue Jan 11 20:42:16.810661 2022] [authnz_ldap:info] [pid 21005] [client
10.14.0.18:59704] AH01695: auth_ldap authenticate: user testuser authentication failed;
URI / [User is not unique (search found two or more matches)][No such object]
[Tue Jan 11 20:42:16.810715 2022] [auth_basic:error] [pid 21005] [client
10.14.0.18:59704] AH01618: user testuser not found: /
# ipa user-add testuser
First name: test
Last name: user
---------------------
Added user "testuser"
---------------------
User login: testuser
First name: test
Last name: user
Full name: test user
Display name: test user
Initials: tu
Home directory: /home/testuser
GECOS: test user
Login shell: /bin/sh
Principal name: testuser(a)IPA.BLUEPEARLSOFTWARE.COM
Principal alias: testuser(a)IPA.BLUEPEARLSOFTWARE.COM
Email address: testuser(a)ipa.bluepearlsoftware.com
UID: 1293000017
GID: 1293000017
Password: False
Member of groups: ipausers
Kerberos keys available: False
[root@ipa1 scripts]# ldapsearch '(uid=testuser)'
SASL/GSSAPI authentication started
SASL username: admin(a)IPA.BLUEPEARLSOFTWARE.COM
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=ipa,dc=bluepearlsoftware,dc=com> (default) with scope subtree
# filter: (uid=testuser)
# requesting: ALL
#
# testuser, users, compat, ipa.bluepearlsoftware.com
dn: uid=testuser,cn=users,cn=compat,dc=ipa,dc=bluepearlsoftware,dc=com
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: ipaOverrideTarget
objectClass: top
gecos: test user
cn: test user
uidNumber: 1293000017
gidNumber: 1293000017
loginShell: /bin/sh
homeDirectory: /home/testuser
ipaAnchorUUID:: OklQQTppcGEuYmx1ZXBlYXJsc29mdHdhcmUuY29tOjBlYmM2ZGJlLTczNDgtMT
FlYy1iNWQ5LTUyNTQwMGI1NzZmYg==
uid: testuser
# testuser, users, accounts, ipa.bluepearlsoftware.com
dn: uid=testuser,cn=users,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com
displayName: test user
uid: testuser
krbCanonicalName: testuser(a)IPA.BLUEPEARLSOFTWARE.COM
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: tu
gecos: test user
sn: user
homeDirectory: /home/testuser
mail: testuser(a)ipa.bluepearlsoftware.com
krbPrincipalName: testuser(a)IPA.BLUEPEARLSOFTWARE.COM
givenName: test
cn: test user
ipaUniqueID: 0ebc6dbe-7348-11ec-b5d9-525400b576fb
uidNumber: 1293000017
gidNumber: 1293000017
mepManagedEntry: cn=testuser,cn=groups,cn=accounts,dc=ipa,dc=bluepearlsoftware
,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com
# search result
search: 4
result: 0 Success
# numResponses: 3
# numEntries: 2
Relevant part of Apache config file:
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authn_core_module modules/mod_authn_core.so
Loglevel authnz_ldap_module:debug
LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/certs/ca.crt
<Location />
AuthType Basic
AuthName "Blue Pearl"
AuthBasicProvider ldap
AuthLDAPURL ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com?uid?sub
Your URL needs to be more specific to find users, like
cn=users,cn=accounts,dc=...
Or alternatively you could add an objectclass filter, but searching the
entire tree for users is more work than necessary.
IPA maintains a separate, synthesized tree, for compatibility with
RFC2307. This is the cn=compat entry you are seeing.
I'll also note that all users are in the group ipausers. IIRC it also
has to be a dn but I could be wrong on that.
rob
# AuthLDAPURL
ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com
AuthLDAPBindDN
uid=httpbind,cn=sysaccounts,cn=etc,dc=ipa,dc=bluepearlsoftware,dc=com
AuthLDAPBindPassword <password for httpbind>
Require ldap-group ipausers
# Require ldap-group
AuthLDAPGroupAttributeIsDN off
</Location>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
12:56 p.m.
New subject: Setting up authentication for apache webserver (part 2) -- User is not unique
Simon Matthews via FreeIPA-users wrote:
Your URL needs to be more specific to find users, like
cn=users,cn=accounts,dc=...
Or alternatively you could add an objectclass filter, but searching the
entire tree for users is more work than necessary.
IPA maintains a separate, synthesized tree, for compatibility with
RFC2307. This is the cn=compat entry you are seeing.
I'll also note that all users are in the group ipausers. IIRC it also
has to be a dn but I could be wrong on that.
rob
Adding "cn=users,cn=accounts" to the AuthLDAPURL worked. I am able to
authenticate specific users. However, I have not been able to get "Require
ldap-group" to work. I'll start a new thread for that.
9:28 p.m.
New subject: Setting up authentication for apache webserver (part 2) -- User is not unique
this is normal (and desirable), the user is added in both users/accounts tree and the
compat tree.
I have had issues with nested groups when I fail to use the compat tree in my LDAP
integrations.
- grant
12:57 p.m.
New subject: Setting up authentication for apache webserver (part 2) -- User is not unique
this is normal (and desirable), the user is added in both
users/accounts tree and the
compat tree.
If it is normal, it would be nice if the documentation reflected this.
I have had issues with nested groups when I fail to use the compat
tree in my LDAP
integrations.
I have problems with "Require ldap-group". I'll start a new thread
for that.
828
days inactive
828
days old
freeipa-users@lists.fedorahosted.org
4 comments
3 participants
participants (3)
-
Grant Janssen -
Rob Crittenden -
Simon Matthews