On 12/07/2014 07:29 PM, Gianluca Cecchi wrote:
> On Sun, Dec 7, 2014 at 3:44 PM, Gianluca Cecchi <gianluca.cec...@gmail.com>
> wrote:
>
>> Hello,
>> I'm quite near to have users and groups working using ipa 3.3 as in CentOS
>> 7 as this gives ability to do binds against compat tree.
>> This is with the use of schema compatibility
>>
>> The last step I need is getting components of groups so that vSphere con
>> enforce group membership permission over user set.
>>
>> The query from vsphere after my modifications when it searches for users
>> belonging to groups is sort of
>>
>> ldapsearch -x -b "cn=groups,cn=compat,dc=localdomain,dc=local"
>> "(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=gcecchi,cn=users,cn=compat,dc=localdomain,dc=local))"
>>
>> so I provided ldif modification for cn=groups, cn=compat this way
>>
>> schema-compat-entry-attribute: uniqueMember=%{member}
>>
>> but this produces somthing like this when I query for example a created
>> group named esxpower to be used for power users
>>
>> # esxpower, groups, compat, localdomain.local
>> dn: cn=esxpower,cn=groups,cn=compat,dc=localdomain,dc=local
>> objectClass: posixGroup
>> objectClass: groupOfUniqueNames
>> objectClass: top
>> gidNumber: 1639600006
>> memberUid: gcecchi
>> memberUid: vadmin
>> uniqueMember: uid=gcecchi,cn=users,cn=accounts,dc=localdomain,dc=local
>> uniqueMember: uid=vadmin,cn=users,cn=accounts,dc=localdomain,dc=local
>> cn: esxpower
>>
>> so the problem is I have to change the entry
>> schema-compat-entry-attribute: uniqueMember=%{member}
>>
>> with a sort of function that gives cn=compat instead of cn=accounts in the
>> line
>> uniqueMember: uid=gcecchi,cn=users,cn=accounts,dc=localdomain,dc=local
>>
>> I read also /usr/share/doc/slapi-nis-0.52/format-specifiers.txt
>> but I didn't come to a sort of "substitute" function so that I can change
>> %{member} with the same but with "compat" word instead of "accounts"
>>
>> I plan to detail all my steps once I can accomplish this.
>>
>> Thanks in advance,
>>
>> Gianluca
>>
>>
>
> Tried with
> schema-compat-entry-attribute:
> uniqueMember=%regsub("%{member}","^(.*)accounts(.*)","%1compat%2")
>
> but it seems it works with some groups (the system groups) but not with the
> other ones I have created...
>
> ldapsearch -x -b "cn=groups,cn=compat,dc=localdomain,dc=local"
>
> gives
>
> # admins, groups, compat, localdomain.local
> dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local
> objectClass: posixGroup
> objectClass: groupOfUniqueNames
> objectClass: top
> gidNumber: 1639600000
> memberUid: admin
> uniqueMember: uid=admin,cn=users,cn=compat,dc=localdomain,dc=local
> cn: admins
>
>
> but in esxpower group I see only the memberUid entry and not the
> uniqueMember entry
>
> # esxpower, groups, compat, localdomain.local
> dn: cn=esxpower,cn=groups,cn=compat,dc=localdomain,dc=local
> objectClass: posixGroup
> objectClass: groupOfUniqueNames
> objectClass: top
> gidNumber: 1639600006
> memberUid: gcecchi
> memberUid: vadmin
> cn: esxpower
>
> Gianluca
CCing Ludwig and Thierry, in case they have some idea.
BTW, if we manage to resolve the issue, it would be nice if you could
contribute a howto with the configuration changes to
http://www.freeipa.org/page/HowTos
:-)
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
