On Thu, Jun 07, 2012 at 05:56:14PM -0400, Ian Levesque wrote: > On Jun 7, 2012, at 5:44 PM, Nalin Dahyabhai wrote: > > > ldapsearch -h sbgrid-directory -Y GSSAPI \ > > -b "cn=Schema Compatibility,cn=plugins,cn=config" \ > > nsslapd-pluginEnabled > > > > The results should look like this: > > > > dn: cn=Schema Compatibility,cn=plugins,cn=config > > nsslapd-pluginEnabled: off > > > > dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config > > > > dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config > > > > dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config > > > > dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config > > Hmm, I only get this: > > dn: cn=Schema Compatibility,cn=plugins,cn=config > nsslapd-pluginEnabled: on > > dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config > > This is ipa-server-2.1.3-9.el6.x86_64 on RHEL 6.2
I don't have an explanation for how it got that way, but you're missing some entries, and that probably explains why you don't see compat data for groups. I'm attaching the LDIF for these entries from my test server, with the suffix changed from the one I'm using to yours. The 'cn=users', 'cn=groups', and 'cn=ng' entries should be accepted without issue by 'ldapadd -c', but it will balk at the 'cn=sudoers' entry, since you already have one. Normally that'd be the right thing, but if your 'cn=sudoers' entry looks different from the one in the LDIF file, you may want to change it as well by using 'ldapmodify'. HTH, Nalin
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config schema-compat-entry-attribute: objectclass=posixGroup schema-compat-entry-attribute: gidNumber=%{gidNumber} schema-compat-entry-attribute: memberUid=%{memberUid} schema-compat-entry-attribute: memberUid=%deref_r("member","uid") cn: groups objectClass: top objectClass: extensibleObject schema-compat-search-filter: objectclass=posixGroup schema-compat-container-rdn: cn=groups schema-compat-entry-rdn: cn=%{cn} schema-compat-search-base: cn=groups, cn=accounts, dc=sbgrid,dc=org schema-compat-container-group: cn=compat, dc=sbgrid,dc=org dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config schema-compat-entry-attribute: objectclass=nisNetgroup schema-compat-entry-attribute: memberNisNetgroup=%deref_r("member","cn") schema-compat-entry-attribute: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\ ",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHo st\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\ \\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\ \\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\ ",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\ \\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r (\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\ ")","-"),%{nisDomainName:-}) schema-compat-check-access: yes cn: ng objectClass: top objectClass: extensibleObject schema-compat-search-filter: (objectclass=ipaNisNetgroup) schema-compat-container-rdn: cn=ng schema-compat-entry-rdn: cn=%{cn} schema-compat-search-base: cn=ng, cn=alt, dc=sbgrid,dc=org schema-compat-container-group: cn=compat, dc=sbgrid,dc=org dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config schema-compat-entry-attribute: objectclass=sudoRole schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%{ex ternalUser}") schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%der ef_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")") schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%der ef_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup) ))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\ "uid\")") schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%%%d eref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")") schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","+%de ref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{ex ternalHost}") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%der ef_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%der ef_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEn try)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\" fqdn\")") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%de ref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntr y))\",\"cn\")") schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%de ref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")") schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%d eref(\"memberAllowCmd\",\"sudoCmd\")") schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%d eref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")") schema-compat-entry-attribute: sudoCommand=!%deref("memberDenyCmd","sudoCmd") schema-compat-entry-attribute: sudoCommand=!%deref_r("memberDenyCmd","member", "sudoCmd") schema-compat-entry-attribute: sudoRunAsUser=%{ipaSudoRunAsExtUser} schema-compat-entry-attribute: sudoRunAsUser=%deref("ipaSudoRunAs","uid") schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory", "all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\") ") schema-compat-entry-attribute: sudoRunAsGroup=%{ipaSudoRunAsExtGroup} schema-compat-entry-attribute: sudoOption=%{ipaSudoOpt} schema-compat-entry-attribute: sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(o bjectclass=posixGroup)","cn") cn: sudoers objectClass: top objectClass: extensibleObject schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE ))(!(ipaEnabledFlag=FALSE))) schema-compat-entry-rdn: cn=%{cn} schema-compat-search-base: cn=sudorules, cn=sudo, dc=sbgrid,dc=org schema-compat-container-group: ou=SUDOers, dc=sbgrid,dc=org dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config schema-compat-entry-attribute: objectclass=posixAccount schema-compat-entry-attribute: gecos=%{cn} schema-compat-entry-attribute: cn=%{cn} schema-compat-entry-attribute: uidNumber=%{uidNumber} schema-compat-entry-attribute: gidNumber=%{gidNumber} schema-compat-entry-attribute: loginShell=%{loginShell} schema-compat-entry-attribute: homeDirectory=%{homeDirectory} cn: users objectClass: top objectClass: extensibleObject schema-compat-search-filter: objectclass=posixAccount schema-compat-container-rdn: cn=users schema-compat-entry-rdn: uid=%{uid} schema-compat-search-base: cn=users, cn=accounts, dc=sbgrid,dc=org schema-compat-container-group: cn=compat, dc=sbgrid,dc=org
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users