On 05/25/2016 09:51 PM, Bob Hinton wrote: > Hello, > > We are trying to get Zenoss login authentication to use freeipa over > LDAP. Group mappings don't currently work and we think this is because > Zenoss requires the groupOfUniqueNames object class. > > I managed to add the object class to a test VM using > vsphere_groupmod.ldif taken from > http://www.freeipa.org/page/HowTo/vsphere5_integration - > > content of vsphere_groupmod.ldif - > > dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config > changetype: modify > add: schema-compat-entry-attribute > schema-compat-entry-attribute: objectclass=groupOfUniqueNames > - > add: schema-compat-entry-attribute > schema-compat-entry-attribute: > uniqueMember=%mregsub("%{member}","^(.*)accounts(.*)","%1compat%2") > - > > apply with - > > ldapmodify -x -D "cn=Directory Manager" -f vsphere_groupmod.ldif -W > > However, the following command seemed to freeze - > > ipa permission-mod "System: Read Group Compat Tree" --includedattrs > uniquemember > > and I had to kill it then subsequent ldapsearch commands froze.
That's... strange. Looks like a DS bug. > Rebooting the VM seemed to fix things and the groupOfUniqueNames object > class appeared in the schema. > > I'd like to apply this to our live system which uses a master and two > replicas running IPA v4.2.0 on RHEL 7.2. > > Do I need to make the same change to all three servers ? Changes in cn=config needs to be done on all servers as the tree is not replicated. Normal permission changes are replicated (unless the permission is about cn=config tree). > Can I leave the > replicas connected or do I need to break the replication and > re-establish it? I do not see reason why you would need to break the replication between replicas. > Do I need the "ipa permission-mod" if so then how do I > avoid it freezing ? I think the freeze is a bug, I would try reproducing with the latest and greatest 389-ds-base (I do not know what version you are using), the bug may be already fixed (there were some bugs fixed). And yes, the command is needed, so that the new attribute is allowed to be served. HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
