On Thu, Mar 5, 2015 at 8:54 AM, Martin Kosek <mko...@redhat.com> wrote:

> I am also CCing Gialunca who contributed the HOWTO. I checked it again and
> tried to apply it on my FreeIPA 4.1.3, my compat group now contain the
> proper
> uniqueMember attribute and groupOfUniqueNames objectclass.
> I am not sure though why are also users updated (mostly question to
> Gialunca):
> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
> changetype: modify
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute: objectclass=uniqueMember
> -
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute: objectclass=inetOrgPerson
> -
> For instance, "uniqueMember" is not valid objectclass. Also, if you are
> adding
> iNetOrgPerson objectclass, you should have all it's MUST attributes also
> generated - otherwise consuming programs may break if they depend on such
> attributes to exist. I see that "sn" is missing in my compat user entries.
> Can you show the "cn=groups,cn=Schema Compatibility,cn=plugins,cn=config"
> entry
> so that we can see if the uniqueMember attribute is really configured
> correctly?
> Thanks,
> Martin

users' updates were force by vSphere originated queries.
For example without adding iNetOrgPerson objectclass, when I wanted to bind
a permission to a user and searched for users in vSPhere, I got this error

05/Dec/2014:22:59:21 +0100] conn=1831 op=34 SRCH
base="cn=users,cn=compat,dc=localdomain,dc=local" scope=2
attrs="description entryuuid givenName initials mail pwdaccountlockedtime
shadowExpire sn title uid userPassword"

So I verified that adding inetOrgPerson I was then able to add users to
Probably I have to check which are the MUST attributes for it so that we
add the too

As far as I understood, the use of compat was indeed to add uniqueMember
that is expected to be there by vSphere, at least in 5.1

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to