Hi,
the doc for the schema compatibility plugin is available here:
- https://pagure.io/slapi-nis/blob/master/f/doc/sch-getting-started.txt
- https://pagure.io/slapi-nis/blob/master/f/doc/sch-configuration.txt
HTH,
flo
On Mon, Jun 28, 2021 at 4:28 PM Rob Crittenden via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Joseph Fry via FreeIPA-users wrote:
> > Well, I managed to figure out the %deref_r directive is what I was
> looking for and got my update file working. I am posting it here for
> anyone who wants to do the same. Its actually pretty simple... just
> creates two containers in compat, one contains pseudo entries for every
> host, and the other contains psudo entries for every hostgroup with the
> member attribute (pointing to the corresponding pseudo host entries). I'm
> sure it can be improved, but it looks like it meets my needs in early
> testing.
> >
> > Just save to a file and run "ipa-ldap-updater <filename>" and your dumb
> AD-only tool can ingest the devices (or at least mine can, you may need to
> bring over some other attributes).
>
> Glad to see you got it working and thanks for contributing your solution.
>
> rob
>
> >
> >
> > # Delete the adcomputers and adcomputergroups containers. Not really
> necessary but
> > # its useful to start with a clean slate during testing, as updating
> things can lead
> > # some strangeness
> >
> > dn: cn=adcomputers, cn=Schema Compatibility, cn=plugins, cn=config
> > deleteentry:
> >
> > dn: cn=adcomputergroups, cn=Schema Compatibility, cn=plugins, cn=config
> > deleteentry:
> >
> > # Create the adcomputers container and map the objects and attributes
> from the ipaHosts
> > # Note: This will bring every host in, though it could be filtered with
> the search-filter
> > # below if desired.
> >
> > dn: cn=adcomputers, cn=Schema Compatibility, cn=plugins, cn=config
> > default:objectClass: top
> > default:objectClass: extensibleObject
> > default:cn: adcomputers
> > default:schema-compat-container-group: cn=compat, $SUFFIX
> > default:schema-compat-container-rdn: cn=adcomputers
> > default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX
> > default:schema-compat-search-filter: (&(fqdn=*)(objectClass=ipaHost))
> > default:schema-compat-entry-rdn: cn=%first("%{fqdn}")
> > default:schema-compat-check-access: yes
> > default:schema-compat-entry-attribute: objectclass=computer
> > default:schema-compat-entry-attribute: cn=%{fqdn}
> > default:schema-compat-entry-attribute: sAMAccountType=805306369
> > default:schema-compat-entry-attribute: dNSHostName=%{fqdn}
> > default:schema-compat-entry-attribute: operatingSystem=%{nsOsVersion}
> > default:schema-compat-entry-attribute: name=%{serverHostName}
> > default:schema-compat-entry-attribute: sAMAccountName=$$%{serverHostName}
> > default:schema-compat-entry-attribute: location=%{nsHostLocation}
> >
> > # Create the adcomputergroups container and map the relevant attributes
> from the ipahostgroups
> >
> > dn: cn=adcomputergroups, cn=Schema Compatibility, cn=plugins, cn=config
> > default:objectClass: top
> > default:objectClass: extensibleObject
> > default:cn: adcomputergroups
> > default:schema-compat-container-group: cn=compat, $SUFFIX
> > default:schema-compat-container-rdn: cn=adcomputergroups
> > default:schema-compat-search-base: cn=hostgroups, cn=accounts, $SUFFIX
> > default:schema-compat-search-filter:
> (&(member=*)(objectClass=ipahostgroup))
> > default:schema-compat-entry-rdn: cn=%{cn}
> > default:schema-compat-entry-check-access: yes
> > default:schema-compat-entry-attribute: objectclass=group
> > default:schema-compat-entry-attribute: objectclass=groupOfNames
> > default:schema-compat-entry-attribute: cn=%{cn}
> > default:schema-compat-entry-attribute:
> distinguishedName=cn=%{cn},cn=adcomputergroups,cn=compat,$SUFFIX
> > #default:schema-compat-entry-attribute: groupType=-2147483650
> > #default:schema-compat-entry-attribute: sAMAccountType=268435456
> > default:schema-compat-entry-attribute: name=%{cn}
> > default:schema-compat-entry-attribute:
> member=cn=%deref_r("member","fqdn"),cn=adcomputers,cn=compat,$SUFFIX
> > #default:schema-compat-entry-attribute: sAMAccountName=%{cn}
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
> >
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
