On 07/20/2012 04:56 PM, Qing Chang wrote:
> Migration from OpedLDAP to IPA creates a pair of subtrees for both
> users and groups:
> compat and accounts, use groups as an example:
> dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca
> dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca
> IPA web GUI does not show "memberUid" attribute, although it is
> migrated correctly,
> by adding a user to the group in the web GUI, it reveals that member
> is added to both
> compat and accounts, but differently:
> accounts: member:
> compat: memberUid: qchang
> It also reveals that GUI does not display anything for "compat" tree,
> but I can use
> ldap tools to show compat entries.
> My questions:
> 1, why do we have two trees created? I vaguely remember that it is
> mentioned that
> compat is for support of IPA as an NIS proxy?
Compat tree is a different view of the data stored in the main tree.
Main tree follows schema defined by RFC 2307bis for users and groups.
Compat displays same data in RFC 2307 format for clients that do not
understand 2307bis schema (for example for Solaris clients).
NIS uses compat tree for its data.
Internal SUDO schema is also different from the standard for the
benefits of the referential integrity so the external, standard schema
is exposed via compat tree.
> 2, Can the migration script be modified to convert "memberUid" to
> "member" for
> accounts tree? Or can I modify it manually and load the tree with
> ldapmod without
> breaking IPA?
It is not clear what you are trying to do. Main tree is already in the
Changing the data directly would not work. Please use ipa commands.
You can point clients to either main tree or compat tree depending upon
what schema they expect.
You can also switch the compat tree completely. There is a command to do
so added in 2.2.
> 3, What does Samba use, compat or accounts? I do have a Samba server
> setup as
> an IPA client and it works very well, but I don't seem to be able
> to find a place
> to specify either compat or accounts for user and group look up, I
> assume IPA
> client libraries take care of it. In fact there is no entries that
> are related to LDAP
> in my smb.conf, there is only a few lines related to IPA/Kerberos:
Samba uses main tree but I do not think you configured anything other
It seems that samba is using a local back end.
You need more info from samba gurus.
You can catch them on irc on freenode.net or they might chime in here.
> security = user
> passdb backend = smbpasswd
> # Kerberos options
> realm = SRI.UTORONTO.CA
> kerberos method = dedicated keytab
> dedicated keytab file = /etc/krb5.keytab
> Thanks in advance!
> Freeipa-users mailing list
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list