I seem to get two entries every time I create new user. This is causing the webserver
authentication to fail with the message about "User is not unique":
[Tue Jan 11 20:42:16.645046 2022] [authnz_ldap:debug] [pid 21005] mod_authnz_ldap.c(505):
[client 10.14.0.18:59704] AH01691: auth_ldap authenticate: using URL
ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com?uid?sub
[Tue Jan 11 20:42:16.810661 2022] [authnz_ldap:info] [pid 21005] [client 10.14.0.18:59704]
AH01695: auth_ldap authenticate: user testuser authentication failed; URI / [User is not
unique (search found two or more matches)][No such object]
[Tue Jan 11 20:42:16.810715 2022] [auth_basic:error] [pid 21005] [client 10.14.0.18:59704]
AH01618: user testuser not found: /
# ipa user-add testuser
First name: test
Last name: user
---------------------
Added user "testuser"
---------------------
User login: testuser
First name: test
Last name: user
Full name: test user
Display name: test user
Initials: tu
Home directory: /home/testuser
GECOS: test user
Login shell: /bin/sh
Principal name: testuser(a)IPA.BLUEPEARLSOFTWARE.COM
Principal alias: testuser(a)IPA.BLUEPEARLSOFTWARE.COM
Email address: testuser(a)ipa.bluepearlsoftware.com
UID: 1293000017
GID: 1293000017
Password: False
Member of groups: ipausers
Kerberos keys available: False
[root@ipa1 scripts]# ldapsearch '(uid=testuser)'
SASL/GSSAPI authentication started
SASL username: admin(a)IPA.BLUEPEARLSOFTWARE.COM
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=ipa,dc=bluepearlsoftware,dc=com> (default) with scope subtree
# filter: (uid=testuser)
# requesting: ALL
#
# testuser, users, compat,
ipa.bluepearlsoftware.com
dn: uid=testuser,cn=users,cn=compat,dc=ipa,dc=bluepearlsoftware,dc=com
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: ipaOverrideTarget
objectClass: top
gecos: test user
cn: test user
uidNumber: 1293000017
gidNumber: 1293000017
loginShell: /bin/sh
homeDirectory: /home/testuser
ipaAnchorUUID:: OklQQTppcGEuYmx1ZXBlYXJsc29mdHdhcmUuY29tOjBlYmM2ZGJlLTczNDgtMT
FlYy1iNWQ5LTUyNTQwMGI1NzZmYg==
uid: testuser
# testuser, users, accounts,
ipa.bluepearlsoftware.com
dn: uid=testuser,cn=users,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com
displayName: test user
uid: testuser
krbCanonicalName: testuser(a)IPA.BLUEPEARLSOFTWARE.COM
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: tu
gecos: test user
sn: user
homeDirectory: /home/testuser
mail: testuser(a)ipa.bluepearlsoftware.com
krbPrincipalName: testuser(a)IPA.BLUEPEARLSOFTWARE.COM
givenName: test
cn: test user
ipaUniqueID: 0ebc6dbe-7348-11ec-b5d9-525400b576fb
uidNumber: 1293000017
gidNumber: 1293000017
mepManagedEntry: cn=testuser,cn=groups,cn=accounts,dc=ipa,dc=bluepearlsoftware
,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com
# search result
search: 4
result: 0 Success
# numResponses: 3
# numEntries: 2
Relevant part of Apache config file:
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authn_core_module modules/mod_authn_core.so
Loglevel authnz_ldap_module:debug
LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/certs/ca.crt
<Location />
AuthType Basic
AuthName "Blue Pearl"
AuthBasicProvider ldap
AuthLDAPURL ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com?uid?sub
# AuthLDAPURL ldaps://ipa1.sj.bps:636/dc=ipa,dc=bluepearlsoftware,dc=com
AuthLDAPBindDN
uid=httpbind,cn=sysaccounts,cn=etc,dc=ipa,dc=bluepearlsoftware,dc=com
AuthLDAPBindPassword <password for httpbind>
Require ldap-group ipausers
# Require ldap-group
AuthLDAPGroupAttributeIsDN off
</Location>