On 03/05/2015 09:29 AM, Gianluca Cecchi wrote:
> On Thu, Mar 5, 2015 at 8:54 AM, Martin Kosek <mko...@redhat.com> wrote:
> 
>>
>> I am also CCing Gialunca who contributed the HOWTO. I checked it again and
>> tried to apply it on my FreeIPA 4.1.3, my compat group now contain the
>> proper
>> uniqueMember attribute and groupOfUniqueNames objectclass.
>>
>> I am not sure though why are also users updated (mostly question to
>> Gialunca):
>> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>> changetype: modify
>> add: schema-compat-entry-attribute
>> schema-compat-entry-attribute: objectclass=uniqueMember
>> -
>> add: schema-compat-entry-attribute
>> schema-compat-entry-attribute: objectclass=inetOrgPerson
>> -
>>
>> For instance, "uniqueMember" is not valid objectclass. Also, if you are
>> adding
>> iNetOrgPerson objectclass, you should have all it's MUST attributes also
>> generated - otherwise consuming programs may break if they depend on such
>> attributes to exist. I see that "sn" is missing in my compat user entries.
>>
>> Can you show the "cn=groups,cn=Schema Compatibility,cn=plugins,cn=config"
>> entry
>> so that we can see if the uniqueMember attribute is really configured
>> correctly?
>>
>> Thanks,
>> Martin
>>
> 
> 
> users' updates were force by vSphere originated queries.
> For example without adding iNetOrgPerson objectclass, when I wanted to bind
> a permission to a user and searched for users in vSPhere, I got this error
> 
> 05/Dec/2014:22:59:21 +0100] conn=1831 op=34 SRCH
> base="cn=users,cn=compat,dc=localdomain,dc=local" scope=2
> filter="(&(objectClass=inetOrgPerson)(objectClass=inetOrgPerson))"
> attrs="description entryuuid givenName initials mail pwdaccountlockedtime
> shadowExpire sn title uid userPassword"

I see. The filter is quite strange though, I am not sure why is vSphere
searching for the same value twice. I assume this is a (benign) bug in vSphere:

(&(objectClass=inetOrgPerson)(objectClass=inetOrgPerson))

> So I verified that adding inetOrgPerson I was then able to add users to
> permissions.
> Probably I have to check which are the MUST attributes for it so that we
> add the too
> 
> As far as I understood, the use of compat was indeed to add uniqueMember
> that is expected to be there by vSphere, at least in 5.1

I checked the MUST already, I updated

http://www.freeipa.org/page/HowTo/vsphere5_integration

and added the missing SN attribute and removed the invalid objectClass. I hope
that's fine with you.

HTH,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to