Hi Martin, On 27/05/2016 14:01, Martin Kosek wrote: > On 05/25/2016 09:51 PM, Bob Hinton wrote: >> Hello, >> >> We are trying to get Zenoss login authentication to use freeipa over >> LDAP. Group mappings don't currently work and we think this is because >> Zenoss requires the groupOfUniqueNames object class. >> >> I managed to add the object class to a test VM using >> vsphere_groupmod.ldif taken from >> http://www.freeipa.org/page/HowTo/vsphere5_integration - >> >> content of vsphere_groupmod.ldif - >> >> dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config >> changetype: modify >> add: schema-compat-entry-attribute >> schema-compat-entry-attribute: objectclass=groupOfUniqueNames >> - >> add: schema-compat-entry-attribute >> schema-compat-entry-attribute: >> uniqueMember=%mregsub("%{member}","^(.*)accounts(.*)","%1compat%2") >> - >> >> apply with - >> >> ldapmodify -x -D "cn=Directory Manager" -f vsphere_groupmod.ldif -W >> >> However, the following command seemed to freeze - >> >> ipa permission-mod "System: Read Group Compat Tree" --includedattrs >> uniquemember >> >> and I had to kill it then subsequent ldapsearch commands froze. > That's... strange. Looks like a DS bug. I tried this on one of the three live servers after using ipa-backup on each of them and it completed without hanging so this suggests a problem with my test VM rather than a bug.
> >> Rebooting the VM seemed to fix things and the groupOfUniqueNames object >> class appeared in the schema. >> >> I'd like to apply this to our live system which uses a master and two >> replicas running IPA v4.2.0 on RHEL 7.2. >> >> Do I need to make the same change to all three servers ? > Changes in cn=config needs to be done on all servers as the tree is not > replicated. Normal permission changes are replicated (unless the permission is > about cn=config tree). Yes. I've now spotted that the change is confined to the single live server. I'll apply it to the other two when we've got the connectivity with Zenoss working. >> Can I leave the >> replicas connected or do I need to break the replication and >> re-establish it? > I do not see reason why you would need to break the replication between > replicas. > >> Do I need the "ipa permission-mod" if so then how do I >> avoid it freezing ? > I think the freeze is a bug, I would try reproducing with the latest and > greatest 389-ds-base (I do not know what version you are using), the bug may > be > already fixed (there were some bugs fixed). My test VM is quite old, since it didn't happen on the live server and that is more up to date, it suggests either a bug that has been fixed or a problem with the test VM. > > And yes, the command is needed, so that the new attribute is allowed to be > served. > > HTH, > Martin > . > Thanks Bob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
