On Jun 7, 2012, at 6:46 PM, Nalin Dahyabhai wrote: > On Thu, Jun 07, 2012 at 05:56:14PM -0400, Ian Levesque wrote: >> On Jun 7, 2012, at 5:44 PM, Nalin Dahyabhai wrote: >> >>> ldapsearch -h sbgrid-directory -Y GSSAPI \ >>> -b "cn=Schema Compatibility,cn=plugins,cn=config" \ >>> nsslapd-pluginEnabled >>> >>> The results should look like this: >>> >>> dn: cn=Schema Compatibility,cn=plugins,cn=config >>> nsslapd-pluginEnabled: off >>> >>> dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config >>> >>> dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config >>> >>> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >>> >>> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config >> >> Hmm, I only get this: >> >> dn: cn=Schema Compatibility,cn=plugins,cn=config >> nsslapd-pluginEnabled: on >> >> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >> >> This is ipa-server-2.1.3-9.el6.x86_64 on RHEL 6.2 > > I don't have an explanation for how it got that way, but you're missing > some entries, and that probably explains why you don't see compat data > for groups. > > I'm attaching the LDIF for these entries from my test server, with the > suffix changed from the one I'm using to yours. The 'cn=users', > 'cn=groups', and 'cn=ng' entries should be accepted without issue by > 'ldapadd -c', but it will balk at the 'cn=sudoers' entry, since you > already have one. > > Normally that'd be the right thing, but if your 'cn=sudoers' entry looks > different from the one in the LDIF file, you may want to change it as > well by using 'ldapmodify'.
Hi Nalin, Well, that fixed it. I'd love to know what caused this but am grateful indeed for your help. Cheers, Ian _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users