gc-wip: GC can not contain records for two users with same first and last names

[wladich]

I can create two users in IPA with same names:

ipa user-add user1 --first Test --last User
ipa user-add user2 --first Test --last User

It is totally fine for people to have same names.

But GC instance will contain record only for the first one. In globalcatalog.log there is error:

2020-10-14T09:27:53Z    33784   MainThread      ipaserver.globalcatalog.gcsyncer        ERROR   Entry CN=Test User,CN=Users,dc=testrelm,dc=test already exists

[flo-renaud]

The root cause is not the (first, last) combination but rather the identical cn. If the cn attribute isn't explicitely set during ipa user-add with the --cn option, the user plugin automatically creates the cn attribute by concatenating givenname (=first) and sn (=last) (here in ipaserver/plugins/user.py).

FreeIPA doesn't enforce unicity of the cn attribute but GC does. It doesn't look acceptable to add this constraint to the main LDAP instance, and the best mitigation IMO was at least to log an error. I agree it's not optimal but don't have any solution so far.

[wladich]

I understand that problem is in conflict of CNs which are used to construct dn. I wanted to show what it will look like for users - they create a new user without any warnings but that user is not visible from AD.

[abbra]

What about creating an ipa-healthcheck test for this kind of situation under trust set of tests?

[abbra]

we can also add a validation to user-add that verifies this and adds a warning to the response in case GC is enabled.

[abbra]

Moved this ticket to https://pagure.io/freeipa/issue/8732