On 03/05/2015 09:29 AM, Gianluca Cecchi wrote: > On Thu, Mar 5, 2015 at 8:54 AM, Martin Kosek <mko...@redhat.com> wrote: > >> >> I am also CCing Gialunca who contributed the HOWTO. I checked it again and >> tried to apply it on my FreeIPA 4.1.3, my compat group now contain the >> proper >> uniqueMember attribute and groupOfUniqueNames objectclass. >> >> I am not sure though why are also users updated (mostly question to >> Gialunca): >> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config >> changetype: modify >> add: schema-compat-entry-attribute >> schema-compat-entry-attribute: objectclass=uniqueMember >> - >> add: schema-compat-entry-attribute >> schema-compat-entry-attribute: objectclass=inetOrgPerson >> - >> >> For instance, "uniqueMember" is not valid objectclass. Also, if you are >> adding >> iNetOrgPerson objectclass, you should have all it's MUST attributes also >> generated - otherwise consuming programs may break if they depend on such >> attributes to exist. I see that "sn" is missing in my compat user entries. >> >> Can you show the "cn=groups,cn=Schema Compatibility,cn=plugins,cn=config" >> entry >> so that we can see if the uniqueMember attribute is really configured >> correctly? >> >> Thanks, >> Martin >> > > > users' updates were force by vSphere originated queries. > For example without adding iNetOrgPerson objectclass, when I wanted to bind > a permission to a user and searched for users in vSPhere, I got this error > > 05/Dec/2014:22:59:21 +0100] conn=1831 op=34 SRCH > base="cn=users,cn=compat,dc=localdomain,dc=local" scope=2 > filter="(&(objectClass=inetOrgPerson)(objectClass=inetOrgPerson))" > attrs="description entryuuid givenName initials mail pwdaccountlockedtime > shadowExpire sn title uid userPassword"
I see. The filter is quite strange though, I am not sure why is vSphere searching for the same value twice. I assume this is a (benign) bug in vSphere: (&(objectClass=inetOrgPerson)(objectClass=inetOrgPerson)) > So I verified that adding inetOrgPerson I was then able to add users to > permissions. > Probably I have to check which are the MUST attributes for it so that we > add the too > > As far as I understood, the use of compat was indeed to add uniqueMember > that is expected to be there by vSphere, at least in 5.1 I checked the MUST already, I updated http://www.freeipa.org/page/HowTo/vsphere5_integration and added the missing SN attribute and removed the invalid objectClass. I hope that's fine with you. HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project