Thanks. The configuration looks OK, I wonder why the uniqueMember is not generated for your compat groups - it works on my FreeIPA 4.1.3 server.
Did you restart the Directory Server after you changed the Schema Compatibility plugin? On 03/05/2015 09:16 AM, [email protected] wrote: > Ok here is the search result; > # ldapsearch -x -D "cn=Directory Manager" -W -b "cn=config" cn=groups > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <cn=config> with scope subtree > # filter: cn=groups > # requesting: ALL > # > > # groups, Schema Compatibility, plugins, config > dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config > cn: groups > objectClass: top > objectClass: extensibleObject > schema-compat-container-group: cn=compat, dc=localdomain,dc=local > schema-compat-search-filter: objectclass=posixGroup > schema-compat-container-rdn: cn=groups > schema-compat-entry-rdn: cn=%{cn} > schema-compat-search-base: cn=groups, cn=accounts, dc=localdomain,dc=local > schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objec > tclass=ipaOverrideTarget","") > schema-compat-entry-attribute: gidNumber=%{gidNumber} > schema-compat-entry-attribute: memberUid=%deref_r("member","uid") > schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchor > uuid=:IPA:cloud.local:%{ipauniqueid}","") > schema-compat-entry-attribute: memberUid=%{memberUid} > schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectcla > ss=ipaOverrideTarget","") > schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} > schema-compat-entry-attribute: objectclass=posixGroup > schema-compat-entry-attribute: objectclass=groupOfUniqueNames > schema-compat-entry-attribute: uniqueMember=%regsub("%{member}","^(.*)accounts > (.*)","%1compat%2") > schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config > schema-compat-restrict-subtree: dc=localdomain,dc=local > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > On 3/5/2015 at 3:54 PM, "Martin Kosek" <[email protected]> wrote: >> >> On 03/05/2015 02:37 AM, [email protected] wrote: >>> Opps, I got that wrong, my groups don't show the 'uniqueMember' >> attribute. Here is an example returned from ldapsearch; >>> >>> # admins, groups, compat, localdomain.local >>> dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local >>> gidNumber: 756200000 >>> memberUid: admin >>> memberUid: vadmin >>> objectClass: posixGroup >>> objectClass: groupOfUniqueNames >>> objectClass: top >>> cn: admins >>> >>> >>> On 3/5/2015 at 9:15 AM, [email protected] wrote: >>> >>> Hi Martin, >>> >>> Using my vadmin account, >> "uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local", the >> search completes successfully and i get a list of my users and >> groups however when I've watched the ldap queries between vcenter >> and freeipa I can see it's applying a filter to the user search >> looking for 'objectClass=groupOfUniqueNames' which my groups don't >> seem to contain. >>> >>> >>> I'm very much an ldap newbie but I thought at step two in the >> vsphere integration howto I modified the groups schema to include >> that object class? >>> >>> On 3/4/2015 at 8:32 PM, "Martin Kosek" <[email protected]> wrote: >>> >>> Given that this HOWTO does not use the vanilla Schema >> Compatibility settings >>> (FreeIPA Compat Tree by default uses posixGroup objectclass and >> memberUid >>> attribute for user membership), I would check if the groups >> really have the >>> right objectclass and uniqueMember generated: >>> >>> # ldapsearch -D "VSPHERE_DN" -x -w "$VSPHERE_DN_PASSWORD" -b >>> "cn=groups,cn=compat,dc=localdomain,dc=local" >>> >>> I expect there will be some problem preventing the LDAP search >> to succeed. Then >>> we would know where to look next. >>> >>> Martin >>> >> >> I am also CCing Gialunca who contributed the HOWTO. I checked it >> again and >> tried to apply it on my FreeIPA 4.1.3, my compat group now contain >> the proper >> uniqueMember attribute and groupOfUniqueNames objectclass. >> >> I am not sure though why are also users updated (mostly question >> to Gialunca): >> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config >> changetype: modify >> add: schema-compat-entry-attribute >> schema-compat-entry-attribute: objectclass=uniqueMember >> - >> add: schema-compat-entry-attribute >> schema-compat-entry-attribute: objectclass=inetOrgPerson >> - >> >> For instance, "uniqueMember" is not valid objectclass. Also, if >> you are adding >> iNetOrgPerson objectclass, you should have all it's MUST >> attributes also >> generated - otherwise consuming programs may break if they depend >> on such >> attributes to exist. I see that "sn" is missing in my compat user >> entries. >> >> Can you show the "cn=groups,cn=Schema >> Compatibility,cn=plugins,cn=config" entry >> so that we can see if the uniqueMember attribute is really >> configured correctly? >> >> Thanks, >> Martin > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
