Ok here is the search result; # ldapsearch -x -D "cn=Directory Manager" -W -b "cn=config" cn=groups Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: cn=groups # requesting: ALL #
# groups, Schema Compatibility, plugins, config dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config cn: groups objectClass: top objectClass: extensibleObject schema-compat-container-group: cn=compat, dc=localdomain,dc=local schema-compat-search-filter: objectclass=posixGroup schema-compat-container-rdn: cn=groups schema-compat-entry-rdn: cn=%{cn} schema-compat-search-base: cn=groups, cn=accounts, dc=localdomain,dc=local schema-compat-entry-attribute: %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objec tclass=ipaOverrideTarget","") schema-compat-entry-attribute: gidNumber=%{gidNumber} schema-compat-entry-attribute: memberUid=%deref_r("member","uid") schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchor uuid=:IPA:cloud.local:%{ipauniqueid}","") schema-compat-entry-attribute: memberUid=%{memberUid} schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectcla ss=ipaOverrideTarget","") schema-compat-entry-attribute: ipaanchoruuid=%{ipaanchoruuid} schema-compat-entry-attribute: objectclass=posixGroup schema-compat-entry-attribute: objectclass=groupOfUniqueNames schema-compat-entry-attribute: uniqueMember=%regsub("%{member}","^(.*)accounts (.*)","%1compat%2") schema-compat-restrict-subtree: cn=Schema Compatibility,cn=plugins,cn=config schema-compat-restrict-subtree: dc=localdomain,dc=local # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 On 3/5/2015 at 3:54 PM, "Martin Kosek" <mko...@redhat.com> wrote: > >On 03/05/2015 02:37 AM, re...@hushmail.com wrote: >> Opps, I got that wrong, my groups don't show the 'uniqueMember' >attribute. Here is an example returned from ldapsearch; >> >> # admins, groups, compat, localdomain.local >> dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local >> gidNumber: 756200000 >> memberUid: admin >> memberUid: vadmin >> objectClass: posixGroup >> objectClass: groupOfUniqueNames >> objectClass: top >> cn: admins >> >> >> On 3/5/2015 at 9:15 AM, re...@hushmail.com wrote: >> >> Hi Martin, >> >> Using my vadmin account, >"uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local", the >search completes successfully and i get a list of my users and >groups however when I've watched the ldap queries between vcenter >and freeipa I can see it's applying a filter to the user search >looking for 'objectClass=groupOfUniqueNames' which my groups don't >seem to contain. >> >> >> I'm very much an ldap newbie but I thought at step two in the >vsphere integration howto I modified the groups schema to include >that object class? >> >> On 3/4/2015 at 8:32 PM, "Martin Kosek" <mko...@redhat.com> wrote: >> >> Given that this HOWTO does not use the vanilla Schema >Compatibility settings >> (FreeIPA Compat Tree by default uses posixGroup objectclass and >memberUid >> attribute for user membership), I would check if the groups >really have the >> right objectclass and uniqueMember generated: >> >> # ldapsearch -D "VSPHERE_DN" -x -w "$VSPHERE_DN_PASSWORD" -b >> "cn=groups,cn=compat,dc=localdomain,dc=local" >> >> I expect there will be some problem preventing the LDAP search >to succeed. Then >> we would know where to look next. >> >> Martin >> > >I am also CCing Gialunca who contributed the HOWTO. I checked it >again and >tried to apply it on my FreeIPA 4.1.3, my compat group now contain >the proper >uniqueMember attribute and groupOfUniqueNames objectclass. > >I am not sure though why are also users updated (mostly question >to Gialunca): >dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config >changetype: modify >add: schema-compat-entry-attribute >schema-compat-entry-attribute: objectclass=uniqueMember >- >add: schema-compat-entry-attribute >schema-compat-entry-attribute: objectclass=inetOrgPerson >- > >For instance, "uniqueMember" is not valid objectclass. Also, if >you are adding >iNetOrgPerson objectclass, you should have all it's MUST >attributes also >generated - otherwise consuming programs may break if they depend >on such >attributes to exist. I see that "sn" is missing in my compat user >entries. > >Can you show the "cn=groups,cn=Schema >Compatibility,cn=plugins,cn=config" entry >so that we can see if the uniqueMember attribute is really >configured correctly? > >Thanks, >Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project