On ma, 20 maalis 2017, Iulian Roman wrote:
On Mon, Mar 20, 2017 at 4:00 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

On ma, 20 maalis 2017, Iulian Roman wrote:

Hello,

I noticed that nested group feature do not work with the unix ldap clients
(AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used.
If
i use the cn=compat and change the mapping the nested groups are listed
properly.

Compat tree implements RFC2307 schema which doesn't have nested groups.

Correct, but although the groups under the compat tree do not have the
nestedgroup object class attribute, whenever i change the group membership
via WEB UI, the compat tree group membership is automatically updated (new
memberUid is added). What i've done was a sort of workaround and map the
AIX groups attribute to the memberUid which seems to work properly.
memberUid is uidNumber of corresponding user, not a group identifier.
Perhaps, you are trying to explain something else?

Main tree in FreeIPA uses RFC2307bis schema which supports nested
groups.

Any plans to support RFC2307AIX schema ?
No.


On AIX, IBM officially supports only AIX, RFC2307, and RFC2307AIX
schemas. AIX's automounter does support RFC2307bis automount maps but
the rest of the system does not support RFC2307bis. In particular, AIX
does not understand member attribute  dereference.


My question is if it is allowed to mix the compat and accounts cn for the
userbasedn and groupbasedn on the same unix ldap client ?

No, not really. You are messing it up something that your client
does not understand.

As i explained above, i could use the basic attributes in the compat tree
for groups in order to update the AIX "groups" attribute (based on
memberuid list). Is there anything which can break the functionality if the
compat tree is used instead of the main/accounts tree  or it is a fortunate
coincidence that this setup works ?
Why you don't use compat tree for both users and groups in AIX? This is
how it was designed to be used.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to