Add krbPrincipalName to sssd.conf user attributes

jrafanie · jrafanie · commit fdc02570f63f · 2026-02-13T15:04:24.000-05:00
The principal name provides a consistent username for creating user records since sssd supports logins with email or the username from the authentication system (freeipa). Using this consistent principal name prevents creating duplicate users created from both the free ipa username and from the configured email address. Related: ManageIQ/manageiq#23723 ManageIQ/manageiq-appliance#401
diff --git a/lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb b/lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb
@@ -31,11 +31,12 @@ module ExternalHttpdConfiguration
       TIMESTAMP_FORMAT      = "%Y%m%d_%H%M%S".freeze
 
       LDAP_ATTRS            = {
-        "mail"        => "REMOTE_USER_EMAIL",
-        "givenname"   => "REMOTE_USER_FIRSTNAME",
-        "sn"          => "REMOTE_USER_LASTNAME",
-        "displayname" => "REMOTE_USER_FULLNAME",
-        "domainname"  => "REMOTE_USER_DOMAIN"
+        "mail"             => "REMOTE_USER_EMAIL",
+        "givenname"        => "REMOTE_USER_FIRSTNAME",
+        "sn"               => "REMOTE_USER_LASTNAME",
+        "displayname"      => "REMOTE_USER_FULLNAME",
+        "domainname"       => "REMOTE_USER_DOMAIN",
+        "krbPrincipalName" => "REMOTE_USER_PRINCIPAL"
       }.freeze
 
       def template_directory
diff --git a/spec/external_httpd_authentication_spec.rb b/spec/external_httpd_authentication_spec.rb
@@ -204,4 +204,75 @@
       expect(described_class.config_status).to eq("External Auth SAML")
     end
   end
+
+  context "#configure_sssd_domain" do
+    let(:domain) { "example.com" }
+    let(:base_config) do
+      <<~CONFIG
+        [sssd]
+        services = nss, pam
+
+        [domain/example.com]
+        id_provider = ipa
+        ipa_server = ipa.example.com
+      CONFIG
+    end
+
+    it "adds ldap_user_extra_attrs when not present" do
+      config = base_config.dup
+      subject.send(:configure_sssd_domain, config, domain)
+      expect(config).to include("ldap_user_extra_attrs = mail, givenname, sn, displayname, domainname, krbPrincipalName")
+    end
+
+    it "updates existing ldap_user_extra_attrs" do
+      config = base_config + "ldap_user_extra_attrs = mail\n"
+      subject.send(:configure_sssd_domain, config, domain)
+
+      # Verify the line contains all expected attributes
+      expect(config).to include("ldap_user_extra_attrs = mail, givenname, sn, displayname, domainname, krbPrincipalName")
+
+      # Verify there's only one ldap_user_extra_attrs line
+      expect(config.scan(/ldap_user_extra_attrs/).length).to eq(1)
+
+      # Verify the original "mail" only value was replaced, not just appended
+      expect(config).not_to include("ldap_user_extra_attrs = mail\n")
+    end
+
+    it "preserves existing configuration while adding attributes" do
+      config = base_config.dup
+      subject.send(:configure_sssd_domain, config, domain)
+      expect(config).to include("id_provider = ipa")
+      expect(config).to include("ipa_server = ipa.example.com")
+    end
+  end
+
+  context "#configure_sssd_ifp" do
+    let(:base_config) do
+      <<~CONFIG
+        [sssd]
+        services = nss, pam
+      CONFIG
+    end
+
+    it "adds [ifp] section when not present" do
+      config = base_config.dup
+      subject.send(:configure_sssd_ifp, config)
+      expect(config).to include("[ifp]")
+      expect(config).to include("allowed_uids = apache, root, manageiq")
+      expect(config).to include("user_attributes = +mail, +givenname, +sn, +displayname, +domainname, +krbPrincipalName")
+    end
+
+    it "updates user_attributes in existing [ifp] section" do
+      config = base_config + "\n[ifp]\nallowed_uids = apache\nuser_attributes = +mail\n"
+      subject.send(:configure_sssd_ifp, config)
+      expect(config).to include("user_attributes = +mail, +givenname, +sn, +displayname, +domainname, +krbPrincipalName")
+      expect(config.scan(/user_attributes/).length).to eq(1)
+    end
+
+    it "adds user_attributes when [ifp] exists but user_attributes doesn't" do
+      config = base_config + "\n[ifp]\nallowed_uids = apache\n"
+      subject.send(:configure_sssd_ifp, config)
+      expect(config).to include("user_attributes = +mail, +givenname, +sn, +displayname, +domainname, +krbPrincipalName")
+    end
+  end
 end
