Hi, the doc for the schema compatibility plugin is available here: - https://pagure.io/slapi-nis/blob/master/f/doc/sch-getting-started.txt - https://pagure.io/slapi-nis/blob/master/f/doc/sch-configuration.txt
HTH, flo On Mon, Jun 28, 2021 at 4:28 PM Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Joseph Fry via FreeIPA-users wrote: > > Well, I managed to figure out the %deref_r directive is what I was > looking for and got my update file working. I am posting it here for > anyone who wants to do the same. Its actually pretty simple... just > creates two containers in compat, one contains pseudo entries for every > host, and the other contains psudo entries for every hostgroup with the > member attribute (pointing to the corresponding pseudo host entries). I'm > sure it can be improved, but it looks like it meets my needs in early > testing. > > > > Just save to a file and run "ipa-ldap-updater <filename>" and your dumb > AD-only tool can ingest the devices (or at least mine can, you may need to > bring over some other attributes). > > Glad to see you got it working and thanks for contributing your solution. > > rob > > > > > > > # Delete the adcomputers and adcomputergroups containers. Not really > necessary but > > # its useful to start with a clean slate during testing, as updating > things can lead > > # some strangeness > > > > dn: cn=adcomputers, cn=Schema Compatibility, cn=plugins, cn=config > > deleteentry: > > > > dn: cn=adcomputergroups, cn=Schema Compatibility, cn=plugins, cn=config > > deleteentry: > > > > # Create the adcomputers container and map the objects and attributes > from the ipaHosts > > # Note: This will bring every host in, though it could be filtered with > the search-filter > > # below if desired. > > > > dn: cn=adcomputers, cn=Schema Compatibility, cn=plugins, cn=config > > default:objectClass: top > > default:objectClass: extensibleObject > > default:cn: adcomputers > > default:schema-compat-container-group: cn=compat, $SUFFIX > > default:schema-compat-container-rdn: cn=adcomputers > > default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX > > default:schema-compat-search-filter: (&(fqdn=*)(objectClass=ipaHost)) > > default:schema-compat-entry-rdn: cn=%first("%{fqdn}") > > default:schema-compat-check-access: yes > > default:schema-compat-entry-attribute: objectclass=computer > > default:schema-compat-entry-attribute: cn=%{fqdn} > > default:schema-compat-entry-attribute: sAMAccountType=805306369 > > default:schema-compat-entry-attribute: dNSHostName=%{fqdn} > > default:schema-compat-entry-attribute: operatingSystem=%{nsOsVersion} > > default:schema-compat-entry-attribute: name=%{serverHostName} > > default:schema-compat-entry-attribute: sAMAccountName=$$%{serverHostName} > > default:schema-compat-entry-attribute: location=%{nsHostLocation} > > > > # Create the adcomputergroups container and map the relevant attributes > from the ipahostgroups > > > > dn: cn=adcomputergroups, cn=Schema Compatibility, cn=plugins, cn=config > > default:objectClass: top > > default:objectClass: extensibleObject > > default:cn: adcomputergroups > > default:schema-compat-container-group: cn=compat, $SUFFIX > > default:schema-compat-container-rdn: cn=adcomputergroups > > default:schema-compat-search-base: cn=hostgroups, cn=accounts, $SUFFIX > > default:schema-compat-search-filter: > (&(member=*)(objectClass=ipahostgroup)) > > default:schema-compat-entry-rdn: cn=%{cn} > > default:schema-compat-entry-check-access: yes > > default:schema-compat-entry-attribute: objectclass=group > > default:schema-compat-entry-attribute: objectclass=groupOfNames > > default:schema-compat-entry-attribute: cn=%{cn} > > default:schema-compat-entry-attribute: > distinguishedName=cn=%{cn},cn=adcomputergroups,cn=compat,$SUFFIX > > #default:schema-compat-entry-attribute: groupType=-2147483650 > > #default:schema-compat-entry-attribute: sAMAccountType=268435456 > > default:schema-compat-entry-attribute: name=%{cn} > > default:schema-compat-entry-attribute: > member=cn=%deref_r("member","fqdn"),cn=adcomputers,cn=compat,$SUFFIX > > #default:schema-compat-entry-attribute: sAMAccountName=%{cn} > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure