On Thu, Mar 5, 2015 at 8:54 AM, Martin Kosek <[email protected]> wrote:
> > I am also CCing Gialunca who contributed the HOWTO. I checked it again and > tried to apply it on my FreeIPA 4.1.3, my compat group now contain the > proper > uniqueMember attribute and groupOfUniqueNames objectclass. > > I am not sure though why are also users updated (mostly question to > Gialunca): > dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config > changetype: modify > add: schema-compat-entry-attribute > schema-compat-entry-attribute: objectclass=uniqueMember > - > add: schema-compat-entry-attribute > schema-compat-entry-attribute: objectclass=inetOrgPerson > - > > For instance, "uniqueMember" is not valid objectclass. Also, if you are > adding > iNetOrgPerson objectclass, you should have all it's MUST attributes also > generated - otherwise consuming programs may break if they depend on such > attributes to exist. I see that "sn" is missing in my compat user entries. > > Can you show the "cn=groups,cn=Schema Compatibility,cn=plugins,cn=config" > entry > so that we can see if the uniqueMember attribute is really configured > correctly? > > Thanks, > Martin > users' updates were force by vSphere originated queries. For example without adding iNetOrgPerson objectclass, when I wanted to bind a permission to a user and searched for users in vSPhere, I got this error 05/Dec/2014:22:59:21 +0100] conn=1831 op=34 SRCH base="cn=users,cn=compat,dc=localdomain,dc=local" scope=2 filter="(&(objectClass=inetOrgPerson)(objectClass=inetOrgPerson))" attrs="description entryuuid givenName initials mail pwdaccountlockedtime shadowExpire sn title uid userPassword" So I verified that adding inetOrgPerson I was then able to add users to permissions. Probably I have to check which are the MUST attributes for it so that we add the too As far as I understood, the use of compat was indeed to add uniqueMember that is expected to be there by vSphere, at least in 5.1 Gianluca
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
