Qing Chang wrote:
Greetings,
Migration from OpedLDAP to IPA creates a pair of subtrees for both users
and groups:
compat and accounts, use groups as an example:
dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca
dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca
IPA web GUI does not show "memberUid" attribute, although it is
migrated correctly,
by adding a user to the group in the web GUI, it reveals that member is
added to both
compat and accounts, but differently:
accounts: member: uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
compat: memberUid: qchang
It also reveals that GUI does not display anything for "compat" tree,
but I can use
ldap tools to show compat entries.
My questions:
1, why do we have two trees created? I vaguely remember that it is
mentioned that
compat is for support of IPA as an NIS proxy?
cn=compat is a view of the data in rfc2307-compatible format (so
memberUid instead of member). It isn't a separate copy.
It is so clients that don't support 2307bis can still authenticate and
identify users using nss_ldap.
2, Can the migration script be modified to convert "memberUid" to
"member" for
accounts tree? Or can I modify it manually and load the tree with
ldapmod without
breaking IPA?
It already can, see the --schema option.
3, What does Samba use, compat or accounts? I do have a Samba server
setup as
an IPA client and it works very well, but I don't seem to be able
to find a place
to specify either compat or accounts for user and group look up, I
assume IPA
client libraries take care of it. In fact there is no entries that
are related to LDAP
in my smb.conf, there is only a few lines related to IPA/Kerberos:
=====
security = user
passdb backend = smbpasswd
# Kerberos options
realm = SRI.UTORONTO.CA
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
=====
I'm not familiar with configure Samba with an ldap backend, maybe
someone else will chime in.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
