X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.util%2Fsrc%2Forg%2Fargeo%2Futil%2Fdirectory%2Fldap%2FIpaUtils.java;h=68b40868ab9dda0a2b7c223ce23f514d6e4cb10c;hb=9c8e52bcbb2a583f8e83c6390b960e9d9edefd53;hp=861eb4f1fc099564637f3ab2f0afcacacd7e74b0;hpb=e2ffdf6872592aa22d0de2b0ec69ee4eca698c45;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.util/src/org/argeo/util/directory/ldap/IpaUtils.java b/org.argeo.util/src/org/argeo/util/directory/ldap/IpaUtils.java
index 861eb4f1f..68b40868a 100644
--- a/org.argeo.util/src/org/argeo/util/directory/ldap/IpaUtils.java
+++ b/org.argeo.util/src/org/argeo/util/directory/ldap/IpaUtils.java
@@ -10,8 +10,8 @@ import java.util.Hashtable;
 import java.util.List;
 
 import javax.naming.InvalidNameException;
-import javax.naming.NamingException;
 import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
 
 import org.argeo.util.directory.DirectoryConf;
 import org.argeo.util.naming.LdapAttrs;
@@ -19,15 +19,26 @@ import org.argeo.util.naming.dns.DnsBrowser;
 
 /** Free IPA specific conventions. */
 public class IpaUtils {
-	public final static String IPA_USER_BASE = "cn=users,cn=accounts";
-	public final static String IPA_GROUP_BASE = "cn=groups,cn=accounts";
-	public final static String IPA_ROLE_BASE = "cn=roles,cn=accounts";
+	public final static String IPA_USER_BASE = "cn=users";
+	public final static String IPA_GROUP_BASE = "cn=groups";
+	public final static String IPA_ROLE_BASE = "cn=roles";
 	public final static String IPA_SERVICE_BASE = "cn=services,cn=accounts";
 
+	public final static Rdn IPA_ACCOUNTS_RDN;
+	static {
+		try {
+			IPA_ACCOUNTS_RDN = new Rdn(LdapAttrs.cn.name(), "accounts");
+		} catch (InvalidNameException e) {
+			// should not happen
+			throw new IllegalStateException(e);
+		}
+	}
+
 	private final static String KRB_PRINCIPAL_NAME = LdapAttrs.krbPrincipalName.name().toLowerCase();
 
 	public final static String IPA_USER_DIRECTORY_CONFIG = DirectoryConf.userBase + "=" + IPA_USER_BASE + "&"
-			+ DirectoryConf.groupBase + "=" + IPA_GROUP_BASE + "&" + DirectoryConf.readOnly + "=true";
+			+ DirectoryConf.groupBase + "=" + IPA_GROUP_BASE + "&" + DirectoryConf.systemRoleBase + "=" + IPA_ROLE_BASE
+			+ "&" + DirectoryConf.readOnly + "=true";
 
 	@Deprecated
 	static String domainToUserDirectoryConfigPath(String realm) {
@@ -61,7 +72,7 @@ public class IpaUtils {
 		String baseDn = domainToBaseDn(kname[1]);
 		String dn;
 		if (!username.contains("/"))
-			dn = LdapAttrs.uid + "=" + username + "," + IPA_USER_BASE + "," + baseDn;
+			dn = LdapAttrs.uid + "=" + username + "," + IPA_USER_BASE + "," + IPA_ACCOUNTS_RDN + "," + baseDn;
 		else
 			dn = KRB_PRINCIPAL_NAME + "=" + kerberosName + "," + IPA_SERVICE_BASE + "," + baseDn;
 		try {
@@ -83,7 +94,7 @@ public class IpaUtils {
 			String dnsZone = hostname.substring(hostname.indexOf('.') + 1);
 			kerberosDomain = dnsBrowser.getRecord("_kerberos." + dnsZone, "TXT");
 			return kerberosDomain;
-		} catch (NamingException | IOException e) {
+		} catch (IOException e) {
 			throw new IllegalStateException("Cannot determine Kerberos domain from DNS", e);
 		}
 
@@ -114,7 +125,7 @@ public class IpaUtils {
 				} else {
 					ldapHostsStr = ldapHosts.get(0);
 				}
-			} catch (NamingException | IOException e) {
+			} catch (IOException e) {
 				throw new IllegalStateException("Cannot convert IPA uri " + uri, e);
 			}
 		} else {