On Fri, 06 Mar 2015, Martin Kosek wrote:
On 03/06/2015 02:24 AM, re...@hushmail.com wrote:
Just to confirm I should restart the server after i've run the ldapmodify?
Right. It would be safer thing to do, if you modified the Schema
Compatibility config. At least to make sure it re-creates the entries
from scratch.
Also I've used ldap modify to remove the 'uniqueMember' object class from the
compat schema and added the 'sn=%{sn}' attribute and I still am having no luck.
I get the same 'identity source may be malfunctioning error' from vpshere.
The key here is to see the Directory Server access log, to see what
kind of LDAP searches is vSphere doing and then seeing the actual
entries in FreeIPA with ldapsearch (or any GUI, I use Apache Directory
Studio). With this knowledge, you should just need to update either
the Schema Compatibility plugin configuration or vSphere
configuration.
Note also that in 4.1 we have ACIs that only give access to certain
attributes within compat tree and not all of them. Adding a new
attribute requires to add an ACI to allow serving it.
If this is an issue, you'd see the difference when accessing as
cn=Directory Manager or as any other authenticated bind.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
