On 23/07/2012 3:33 PM, Rob Crittenden wrote:
Qing Chang wrote:


On 20/07/2012 5:14 PM, Rob Crittenden wrote:
Qing Chang wrote:
Greetings,

Migration from OpedLDAP to IPA creates a pair of subtrees for both users
and groups:
compat and accounts, use groups as an example:
dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca
dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca

IPA web GUI does not show  "memberUid" attribute, although it is
migrated correctly,
by adding a user to the group in the web GUI, it reveals that member is
added to both
compat and accounts, but differently:
accounts: member:
uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
compat: memberUid: qchang

It also reveals that GUI does not display anything for "compat" tree,
but I can use
ldap tools to show compat entries.
My questions:
1, why do we have two trees created? I vaguely remember that it is
mentioned that
     compat is for support of IPA as an NIS proxy?

cn=compat is a view of the data in rfc2307-compatible format (so
memberUid instead of member). It isn't a separate copy.

It is so clients that don't support 2307bis can still authenticate and
identify users using nss_ldap.

2, Can the migration script be modified to convert "memberUid" to
"member" for
     accounts tree? Or can I modify it manually and load the tree with
ldapmod without
     breaking IPA?

It already can, see the --schema option.

it says:
  --schema=['RFC2307bis', 'RFC2307']
                         The schema used on the LDAP server. Supported
values
                         are RFC2307 and RFC2307bis. The default is
RFC2307bis

I assume I am using the default. Does this mean that I should use
RFC2307 instead?
It does not make much sense to me because my OpenLDAP server is using
RFC2307 if I understand your comments above right.

If the LDAP server you are migrating from is using RFC2307 (e.g. memberUid in the groups to specify membership) then use --schema=RFC2307.

You are specifying the remote schema, not the local schema.

Indeed it is the remote schema, for future reference, this my command line:
# ipa -d migrate-ds ldap://ldap:389 --bind-dn=cn=Manager,dc=... --group-container=ou=group --group-overwrite-gid --schema=RFC2307 --with-compat --group-objectclass=posixGroup

rob
Your help is much appreciated!

Qing

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to