Qing Chang wrote:
Migration from OpedLDAP to IPA creates a pair of subtrees for both users
compat and accounts, use groups as an example:
IPA web GUI does not show "memberUid" attribute, although it is
by adding a user to the group in the web GUI, it reveals that member is
added to both
compat and accounts, but differently:
accounts: member: uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
compat: memberUid: qchang
It also reveals that GUI does not display anything for "compat" tree,
but I can use
ldap tools to show compat entries.
1, why do we have two trees created? I vaguely remember that it is
compat is for support of IPA as an NIS proxy?
cn=compat is a view of the data in rfc2307-compatible format (so
memberUid instead of member). It isn't a separate copy.
It is so clients that don't support 2307bis can still authenticate and
identify users using nss_ldap.
2, Can the migration script be modified to convert "memberUid" to
accounts tree? Or can I modify it manually and load the tree with
It already can, see the --schema option.
3, What does Samba use, compat or accounts? I do have a Samba server
an IPA client and it works very well, but I don't seem to be able
to find a place
to specify either compat or accounts for user and group look up, I
client libraries take care of it. In fact there is no entries that
are related to LDAP
in my smb.conf, there is only a few lines related to IPA/Kerberos:
security = user
passdb backend = smbpasswd
# Kerberos options
realm = SRI.UTORONTO.CA
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
I'm not familiar with configure Samba with an ldap backend, maybe
someone else will chime in.
Freeipa-users mailing list