On 12/09/2014 10:05 AM, Martin Kosek wrote: > On 12/07/2014 07:29 PM, Gianluca Cecchi wrote: >> On Sun, Dec 7, 2014 at 3:44 PM, Gianluca Cecchi <[email protected]> >> wrote: >> >>> Hello, >>> I'm quite near to have users and groups working using ipa 3.3 as in CentOS >>> 7 as this gives ability to do binds against compat tree. >>> This is with the use of schema compatibility >>> >>> The last step I need is getting components of groups so that vSphere con >>> enforce group membership permission over user set. >>> >>> The query from vsphere after my modifications when it searches for users >>> belonging to groups is sort of >>> >>> ldapsearch -x -b "cn=groups,cn=compat,dc=localdomain,dc=local" >>> "(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=gcecchi,cn=users,cn=compat,dc=localdomain,dc=local))" >>> >>> so I provided ldif modification for cn=groups, cn=compat this way >>> >>> schema-compat-entry-attribute: uniqueMember=%{member} >>> >>> but this produces somthing like this when I query for example a created >>> group named esxpower to be used for power users >>> >>> # esxpower, groups, compat, localdomain.local >>> dn: cn=esxpower,cn=groups,cn=compat,dc=localdomain,dc=local >>> objectClass: posixGroup >>> objectClass: groupOfUniqueNames >>> objectClass: top >>> gidNumber: 1639600006 >>> memberUid: gcecchi >>> memberUid: vadmin >>> uniqueMember: uid=gcecchi,cn=users,cn=accounts,dc=localdomain,dc=local >>> uniqueMember: uid=vadmin,cn=users,cn=accounts,dc=localdomain,dc=local >>> cn: esxpower >>> >>> so the problem is I have to change the entry >>> schema-compat-entry-attribute: uniqueMember=%{member} >>> >>> with a sort of function that gives cn=compat instead of cn=accounts in the >>> line >>> uniqueMember: uid=gcecchi,cn=users,cn=accounts,dc=localdomain,dc=local >>> >>> I read also /usr/share/doc/slapi-nis-0.52/format-specifiers.txt >>> but I didn't come to a sort of "substitute" function so that I can change >>> %{member} with the same but with "compat" word instead of "accounts" >>> >>> I plan to detail all my steps once I can accomplish this. >>> >>> Thanks in advance, >>> >>> Gianluca >>> >>> >> >> Tried with >> schema-compat-entry-attribute: >> uniqueMember=%regsub("%{member}","^(.*)accounts(.*)","%1compat%2") >> >> but it seems it works with some groups (the system groups) but not with the >> other ones I have created... >> >> ldapsearch -x -b "cn=groups,cn=compat,dc=localdomain,dc=local" >> >> gives >> >> # admins, groups, compat, localdomain.local >> dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local >> objectClass: posixGroup >> objectClass: groupOfUniqueNames >> objectClass: top >> gidNumber: 1639600000 >> memberUid: admin >> uniqueMember: uid=admin,cn=users,cn=compat,dc=localdomain,dc=local >> cn: admins >> >> >> but in esxpower group I see only the memberUid entry and not the >> uniqueMember entry >> >> # esxpower, groups, compat, localdomain.local >> dn: cn=esxpower,cn=groups,cn=compat,dc=localdomain,dc=local >> objectClass: posixGroup >> objectClass: groupOfUniqueNames >> objectClass: top >> gidNumber: 1639600006 >> memberUid: gcecchi >> memberUid: vadmin >> cn: esxpower >> >> Gianluca > > CCing Ludwig and Thierry, in case they have some idea. > > BTW, if we manage to resolve the issue, it would be nice if you could > contribute a howto with the configuration changes to > > http://www.freeipa.org/page/HowTos > > :-) > > Martin >
Please ignore my mail above, I see Gianluca informed about resolving the issue in another thread, "[Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]". Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
