On Thu, Jun 07, 2012 at 05:34:58PM -0400, Ian Levesque wrote:
> # ldapsearch -LLL -x -h sbgrid-directory -b cn=compat,dc=sbgrid,dc=org
> No such object (32)
> Matched DN: dc=sbgrid,dc=org

This result suggests that the plugin isn't running.  Can you
double-check by searching (as either the directory administrator or the
IPA administrator) to verify that the plugin is enabled and configured
to serve up group information?  The search looks like:

  kinit admin
  ldapsearch -h sbgrid-directory -Y GSSAPI \
        -b "cn=Schema Compatibility,cn=plugins,cn=config" \
        nsslapd-pluginEnabled

The results should look like this:

  dn: cn=Schema Compatibility,cn=plugins,cn=config
  nsslapd-pluginEnabled: off

  dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config

  dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config

  dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config

  dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config

If you drill down and read the whole cn=groups configuration entry, it
should look like this:

  dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
  schema-compat-entry-attribute: objectclass=posixGroup
  schema-compat-entry-attribute: gidNumber=%{gidNumber}
  schema-compat-entry-attribute: memberUid=%{memberUid}
  schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
  cn: groups
  objectClass: top
  objectClass: extensibleObject
  schema-compat-search-filter: objectclass=posixGroup
  schema-compat-container-rdn: cn=groups
  schema-compat-entry-rdn: cn=%{cn}
  schema-compat-search-base: cn=groups, cn=accounts, dc=sbgrid,dc=org
  schema-compat-container-group: cn=compat, dc=sbgrid,dc=org

HTH,

Nalin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to