On Tue, 02 Jun 2015, Martin Kosek wrote:
CCing Nalin and Alexander. This sounds like the slapi-nis configuration for generating uniqueMember attribute does not work with multi-valued "member" attribute:


schema-compat-entry-attribute: uniqueMember=%mregsub("%{member}","^(.*)accounts(.*)","%1compat%2")
No, this should work just fine. The original wiki page had just
%regsub() which is indeed a single element replacement. %mregsub()
processes multiple possible expression matching.

I just tried myself:
# ldapmodify -x -D "cn=Directory Manager" -f vsphere.ldif -W Enter LDAP Password: modifying entry "cn=groups,cn=Schema Compatibility,cn=plugins,cn=config"

modifying entry "cn=users,cn=Schema Compatibility,cn=plugins,cn=config"

# ipa permission-mod "System: Read User Compat Tree" --includedattrs sn
---------------------------------------------------
Modified permission "System: Read User Compat Tree"
---------------------------------------------------
 Permission name: System: Read User Compat Tree
 Granted rights: read, compare, search
 Effective attributes: cn, createtimestamp, entryusn, gecos, gidnumber,
homedirectory, loginshell, modifytimestamp, objectclass, sn, uid,
uidnumber
 Included attributes: sn
 Default attributes: cn, objectclass, loginshell, uidnumber, gidnumber,
gecos, homedirectory, uid
 Bind rule type: anonymous
 Subtree: dc=t,dc=vda,dc=li
 Target DN: cn=users,cn=compat,dc=t,dc=vda,dc=li
# ipa permission-mod "System: Read Group Compat Tree" --includedattrs 
uniquemember
----------------------------------------------------
Modified permission "System: Read Group Compat Tree"
----------------------------------------------------
 Permission name: System: Read Group Compat Tree
 Granted rights: read, compare, search
 Effective attributes: cn, createtimestamp, entryusn, gidnumber,
memberuid, modifytimestamp, objectclass, uniquemember
 Included attributes: uniquemember
 Default attributes: objectclass, memberuid, gidnumber, cn
 Bind rule type: anonymous
 Subtree: dc=t,dc=vda,dc=li
 Target DN: cn=groups,cn=compat,dc=t,dc=vda,dc=li
# ipa group-add foo-bar-zed
-------------------------
Added group "foo-bar-zed"
-------------------------
 Group name: foo-bar-zed
 GID: 895600028
# ipa user-add bar
First name: bar
Last name: bar
----------------
Added user "bar"
----------------
 User login: bar
 First name: bar
 Last name: bar
 Full name: bar bar
 Display name: bar bar
 Initials: bb
 Home directory: /home/bar
 GECOS: bar bar
 Login shell: /bin/sh
 Kerberos principal: b...@t.vda.li
 Email address: b...@t.vda.li
 UID: 895600029
 GID: 895600029
 Password: False
 Member of groups: ipausers
 Kerberos keys available: False
# ipa user-add foo
First name: foo
Last name: foo
----------------
Added user "foo"
----------------
 User login: foo
 First name: foo
 Last name: foo
 Full name: foo foo
 Display name: foo foo
 Initials: ff
 Home directory: /home/foo
 GECOS: foo foo
 Login shell: /bin/sh
 Kerberos principal: f...@t.vda.li
 Email address: f...@t.vda.li
 UID: 895600030
 GID: 895600030
 Password: False
 Member of groups: ipausers
 Kerberos keys available: False
# ipa user-add zed
First name: zed
Last name: zed
----------------
Added user "zed"
----------------
 User login: zed
 First name: zed
 Last name: zed
 Full name: zed zed
 Display name: zed zed
 Initials: zz
 Home directory: /home/zed
 GECOS: zed zed
 Login shell: /bin/sh
 Kerberos principal: z...@t.vda.li
 Email address: z...@t.vda.li
 UID: 895600031
 GID: 895600031
 Password: False
 Member of groups: ipausers
 Kerberos keys available: False
# ipa group-add-member foo-bar-zed --users={foo,bar,zed}
 Group name: foo-bar-zed
 GID: 895600028
 Member users: foo, bar, zed
-------------------------
Number of members added 3
-------------------------
# ldapsearch -x -b cn=groups,cn=compat,dc=t,dc=vda,dc=li '(cn=foo-bar-zed)'
# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=compat,dc=t,dc=vda,dc=li> with scope subtree
# filter: (cn=foo-bar-zed)
# requesting: ALL
#

# foo-bar-zed, groups, compat, t.vda.li
dn: cn=foo-bar-zed,cn=groups,cn=compat,dc=t,dc=vda,dc=li
memberUid: foo
memberUid: bar
memberUid: zed
gidNumber: 895600028
objectClass: posixGroup
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: uid=foo,cn=users,cn=compat,dc=t,dc=vda,dc=li
uniqueMember: uid=bar,cn=users,cn=compat,dc=t,dc=vda,dc=li
uniqueMember: uid=zed,cn=users,cn=compat,dc=t,dc=vda,dc=li
cn: foo-bar-zed

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to