Greetings,
Migration from OpedLDAP to IPA creates a pair of subtrees for both users and
groups:
compat and accounts, use groups as an example:
dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca
dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca
IPA web GUI does not show "memberUid" attribute, although it is migrated
correctly,
by adding a user to the group in the web GUI, it reveals that member is added
to both
compat and accounts, but differently:
accounts: member: uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
compat: memberUid: qchang
It also reveals that GUI does not display anything for "compat" tree, but I can
use
ldap tools to show compat entries.
My questions:
1, why do we have two trees created? I vaguely remember that it is mentioned
that
compat is for support of IPA as an NIS proxy?
2, Can the migration script be modified to convert "memberUid" to "member" for
accounts tree? Or can I modify it manually and load the tree with ldapmod
without
breaking IPA?
3, What does Samba use, compat or accounts? I do have a Samba server setup as
an IPA client and it works very well, but I don't seem to be able to find a
place
to specify either compat or accounts for user and group look up, I assume
IPA
client libraries take care of it. In fact there is no entries that are
related to LDAP
in my smb.conf, there is only a few lines related to IPA/Kerberos:
=====
security = user
passdb backend = smbpasswd
# Kerberos options
realm = SRI.UTORONTO.CA
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
=====
Thanks in advance!
Qing
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
