Deleted Group in FreeIPA Still Appears – Troubleshooting Guide

You are aware that you can move into the sysadm_r role as staff_u right?

For example, the following below would work.

myuser  ALL=(ALL)   TYPE=sysadm_t ROLE=sysadm_r PASSWD: ALL

This will allow you to do (almost) what you can do as root as unconfined.

Oh and one final tip. Using su is a bit tricky with RBAC (it does a lot of stuff which gets it into all sorts of places). Instead you can use the runuser command which does the same thing without a lot of su overheads.

I actually restrict su use in sudoers like so;

%wheel   ALL=(ALL)   TYPE=sysadm_t ROLE=sysadm_r NOPASSWD: ALL, ! /bin/su

Because by default the SELinux policy doesn't allow the sudo transition to manage the necessary signals. Really people should probably just use sudo -i anyway.

I normally hardlink runuser to ru as a two-letter replacement for people who prefer to run sudo su - out of a bad habit (like me!).

You have two problems in your configuration:

1. You are using too generic and incorrect settings:

   base: 'dc=example'
   group_base: 'OU=groups,DC=example'
   

   Instead, they should be

   base: 'cn=accounts,dc=example'
   group_base: 'cn=groups,cn=accounts,DC=example'
   

2. Your check for users is done against wrong subtree:

   user_filter: 'memberOf=cn=developers,cn=groups,cn=compat,dc=example'
   

   Instead, you should use main subtree:

   user_filter: 'memberOf=cn=developers,cn=groups,cn=accounts,dc=example'
   

Explanation

FreIPA stores users and groups in the containers under cn=accounts,dc=example, e.g. cn=users,cn=accounts,dc=example for users and cn=groups,cn=accounts,dc=example for groups.The LDAP schema used by this structure is based on RFC2307bis which allows using memberOf attribute pointing to the proper distinguished name (DN) of a member object in LDAP.

FreeIPA also dynamically exports a separate tree (compat subtree) under cn=compat,dc=example to present the same content for clients that expect an LDAP schema defined in RFC2307. Unlike RFC2307bis, this older schema does not allow to specify a member object in LDAP by its distinguished name. Instead, a membership is specified by using a value of an attribute uid of the member object.

When you do search against whole tree using base dc=example, you get responses from the both subtrees. When you do search with memberOf filter, it will come with an empty result because the original subtree in cn=accounts,dc=example does not have any reference to the compat subtree, and entries in the compat subtree don't have memberOf attribute due to use of a different LDAP schema.

The compat subtree is also returning its entries before the original ones, so GitLab is confused by their result when trying to search a user as it selects a first returned entry and it doesn't contain all needed attributes (like email).

Finally, make sure your requests are authenticated. This is not a problem wiht your configuration above because you are using a simple bind already but FreeIPA 4.x has put additional limitations on what attributes are visible to unauthenticated search requests, so to save others' time I'd mention it here as well.