On Thu, 21 May 2015, Rudolf Gabler wrote:
Hi to whom it may concern,we used for many years a 2 location policy to separate email users from unix users in order to not using the same passwords. So we had 2 trees in our LDAP with the same user but different passwords. In freeipa (where we want to migrate now) I can use the accounts and compat (for email) trees for this purpose and so I added a dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: userPassword=* to the compat settings to have a separate place for the password (!not userPassword=%{userPassword}, because then the accounts password are mirrored). This works, but I’m not allowed to change the password i.e. with: ldappasswd -x -D "cn=Directory Manager" -W -S uid=myuser,cn=users,cn=compat,dc=example,dc=com I get a result of: No such object (32) Additional info: Failed to update password where as for the accounts tree the ldappasswd is working fine. What additional setting may be required?
slapi-nis does not support modifying entries in the compat tree. The tree is virtual, it is re-populated from the original data every time 389-ds server is restarted. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
