From e6f9e2c9282905fa41046379e0bc5c2ac82ae3a9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 27 Jul 2016 17:37:14 +0300
Subject: [PATCH 7/8] back-sch-nss: for users with aliases, return alias as uid
When SSSD resolves AD users on behalf of slapi-nis, it can accept
any user identifier, including user principal name (UPN) which
may be different than the canonical user name which SSSD returns.
As result, the entry created by slapi-nis will be using canonical user
name but the filter for search will refer to the original (aliased)
name. The search will not match the newly created entry.
Fix this issue by returning two values for 'uid' attribute: the
canonical one and the aliased one. This way search will match.
Verified that SSSD with id_provider=ldap happily consumes such entries.
By LDAP schema, 'uid' attribute can have multiple values.
Fixes https://fedorahosted.org/slapi-nis/ticket/12
---
src/back-sch-nss.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c
index 702590c..db63e59 100644
--- a/src/back-sch-nss.c
+++ b/src/back-sch-nss.c
@@ -230,6 +230,7 @@ backend_build_dn(const char *attribute, const char *value,
static Slapi_Entry *
backend_make_user_entry_from_nsswitch_passwd(struct passwd *pwd,
char *container_sdn,
+ char *user_name,
struct backend_search_cbdata *cbdata)
{
Slapi_Entry *entry;
@@ -272,6 +273,18 @@ backend_make_user_entry_from_nsswitch_passwd(struct passwd *pwd,
"objectClass", "posixAccount");
slapi_entry_add_string(entry,
"uid", name);
+ if (user_name != NULL) {
+ /* For non-NULL original user name check if it was
+ * an alias/UPN. If so, add it to the entry.
+ * Yes, LDAP schema allows multiple values of 'uid'
+ * attribute.
+ */
+ if (slapi_utf8casecmp((unsigned char*) user_name,
+ (unsigned char*) name) != 0) {
+ slapi_entry_add_string(entry, "uid", user_name);
+ }
+ }
+
slapi_entry_attr_set_uint(entry,
"uidNumber", pwd->pw_uid);
slapi_entry_attr_set_uint(entry,
@@ -510,6 +523,7 @@ repeat:
}
entry = backend_make_user_entry_from_nsswitch_passwd(&pwd, container_sdn,
+ is_uid ? NULL : user_name,
cbdata);
entries = malloc(sizeof(entries[0]) * 2);
if (entries != NULL) {
--
2.7.4