On Thu, 21 May 2015, Rudolf Gabler wrote:
Hi to whom it may concern,

we used for many years a 2 location policy to separate email users from
unix users in order to not using the same passwords. So we had 2 trees
in our LDAP with the same user but different passwords.

In freeipa (where we want to migrate now) I can use the accounts and
compat (for email) trees for this purpose and so I added a

dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: userPassword=*
to the compat settings  to have a separate place for the password (!not
userPassword=%{userPassword}, because then the accounts password are
mirrored). This works, but I’m not allowed to change the password i.e.
with: ldappasswd -x -D "cn=Directory Manager" -W -S
I get a result of:

No such object (32)
Additional info: Failed to update password

where as for the accounts tree the ldappasswd is working fine.
What additional setting may be required?
slapi-nis does not support modifying entries in the compat tree. The
tree is virtual, it is re-populated from the original data every time
389-ds server is restarted.
/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to