attached patch should update compat tree configuration if it exist to
follow slapi-nis 0.55 which has support for external members of IPA

However, the real work is done in SSSD. These patches are not upstreamed
yet. We'll need to bump SSSD dependency in future once they come to

/ Alexander Bokovoy
From b08234f61ce7c6286ca9109df11a4c469862c428 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Mon, 22 Feb 2016 12:40:03 +0200
Subject: [PATCH] slapi-nis: update configuration to allow external members of
 IPA groups

Currently in an environment with trust to AD the compat tree does not
show AD users as members of IPA groups. The reason is that IPA groups
are read directly from the IPA DS tree and external groups are not

slapi-nis project has added support for it in 0.55, make sure we update
configuration for the group map if it exists and depend on 0.55 version.

 freeipa.spec.in                           | 2 +-
 install/updates/50-externalmembers.update | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 install/updates/50-externalmembers.update

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 54a11bf..0b14bdc 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -153,7 +153,7 @@ Requires(pre): systemd-units
 Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
-Requires: slapi-nis >= 0.54.2-1
+Requires: slapi-nis >= 0.55-1
 Requires: pki-ca >= 10.2.6-13
 Requires: pki-kra >= 10.2.6-13
 Requires(preun): python systemd-units
diff --git a/install/updates/50-externalmembers.update 
new file mode 100644
index 0000000..0831cd2
--- /dev/null
+++ b/install/updates/50-externalmembers.update
@@ -0,0 +1,4 @@
+dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
+addifexist: schema-compat-entry-attribute: 
+addifexist: schema-compat-entry-attribute: objectclass=ipaexternalgroup

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to