On Fri, 06 Mar 2015, Martin Kosek wrote:
On 03/06/2015 02:24 AM, re...@hushmail.com wrote:
Just to confirm I should restart the server after i've run the ldapmodify?


Right. It would be safer thing to do, if you modified the Schema Compatibility config. At least to make sure it re-creates the entries from scratch.

Also I've used ldap modify to remove the 'uniqueMember' object class from the 
compat schema and added the 'sn=%{sn}' attribute and I still am having no luck. 
I get the same 'identity source may be malfunctioning error' from vpshere.

The key here is to see the Directory Server access log, to see what kind of LDAP searches is vSphere doing and then seeing the actual entries in FreeIPA with ldapsearch (or any GUI, I use Apache Directory Studio). With this knowledge, you should just need to update either the Schema Compatibility plugin configuration or vSphere configuration.
Note also that in 4.1 we have ACIs that only give access to certain
attributes within compat tree and not all of them. Adding a new
attribute requires to add an ACI to allow serving it.

If this is an issue, you'd see the difference when accessing as
cn=Directory Manager or as any other authenticated bind.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to