Re: [Freeipa-users] compat and nested groups for Unix system
On ma, 20 maalis 2017, Iulian Roman wrote: On Mon, Mar 20, 2017 at 4:24 PM, Alexander Bokovoy wrote: On ma, 20 maalis 2017, Iulian Roman wrote: On Mon, Mar 20, 2017 at 4:00 PM, Alexander Bokovoy wrote: On ma, 20 maalis 2017, Iulian Roman wrote: Hello, I noticed that nested group feature do not work with the unix ldap clients (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used. If i use the cn=compat and change the mapping the nested groups are listed properly. Compat tree implements RFC2307 schema which doesn't have nested groups. Correct, but although the groups under the compat tree do not have the nestedgroup object class attribute, whenever i change the group membership via WEB UI, the compat tree group membership is automatically updated (new memberUid is added). What i've done was a sort of workaround and map the AIX groups attribute to the memberUid which seems to work properly. memberUid is uidNumber of corresponding user, not a group identifier. Perhaps, you are trying to explain something else? Ok, maybe i have to explain it more clearly as it was confusing: in order to get the user list attribute for an ldap group in AIX , you use some .map files, which map the ldap attributes to the AIX attributes. For the 2307schema, to get the user list of a group you have to map the AIX *_users_ *attribute to the _memberuid_ ldap attribute. For compat tree, in the file ipagroup.map i've mapped the AIX _users_ attribute to the _memberuid_ ipa/ldap attribute and therefore i have the list of the users for that particular group. Having the user list which are members to a group translates to having the group list of the users (if we invert the logic). Does that make more sense now ? According to my research from several years ago following two maps were enough to get AIX to work with primary IPA tree: #IPAuser.map file keyobjectclass SEC_CHARposixaccounts # The following attributes are required by AIX to be functional usernameSEC_CHARuid s id SEC_INT uidnumber s pgrpSEC_CHARgidnumber s homeSEC_CHARhomedirectory s shell SEC_CHARloginshell s gecos SEC_CHARgecos s spassword SEC_CHARuserpasswords lastupdate SEC_INT shadowlastchanges #IPAgroup.map file groupname SEC_CHARcns id SEC_INT gidNumber s users SEC_LISTmemberm This will make AIX to interpret native IPA users properly. If you expect AD users from trusted AD domains to be usable as well, you'd need to switch to compat tree and use RFC2307 mapping files. Why you don't use compat tree for both users and groups in AIX? This is how it was designed to be used. Actually the compat tree was the default one configured by the ldap client, but checking the ldap structure seemed more logical to use the default ipa ldap tree which is used as well for Linux. Moreover i did not understood what is exactly the purpose of the compat tree and i was quite confused . Apart from that i missed some krb* related attributes for the user, but probably i have to re-evaluate that and use compat tree for both users and groups, if that's what it was designed for. It depends on what you need to do. You shouldn't need to have access to kerberos attributes from client side at all. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] compat and nested groups for Unix system
On Mon, Mar 20, 2017 at 4:24 PM, Alexander Bokovoy wrote: > On ma, 20 maalis 2017, Iulian Roman wrote: > >> On Mon, Mar 20, 2017 at 4:00 PM, Alexander Bokovoy >> wrote: >> >> On ma, 20 maalis 2017, Iulian Roman wrote: >>> >>> Hello, I noticed that nested group feature do not work with the unix ldap clients (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used. If i use the cn=compat and change the mapping the nested groups are listed properly. Compat tree implements RFC2307 schema which doesn't have nested groups. >>> >>> Correct, but although the groups under the compat tree do not have the >> nestedgroup object class attribute, whenever i change the group membership >> via WEB UI, the compat tree group membership is automatically updated (new >> memberUid is added). What i've done was a sort of workaround and map the >> AIX groups attribute to the memberUid which seems to work properly. >> > memberUid is uidNumber of corresponding user, not a group identifier. > Perhaps, you are trying to explain something else? > Ok, maybe i have to explain it more clearly as it was confusing: in order to get the user list attribute for an ldap group in AIX , you use some .map files, which map the ldap attributes to the AIX attributes. For the 2307schema, to get the user list of a group you have to map the AIX *_users_ *attribute to the _memberuid_ ldap attribute. For compat tree, in the file ipagroup.map i've mapped the AIX _users_ attribute to the _memberuid_ ipa/ldap attribute and therefore i have the list of the users for that particular group. Having the user list which are members to a group translates to having the group list of the users (if we invert the logic). Does that make more sense now ? > > Main tree in FreeIPA uses RFC2307bis schema which supports nested >>> groups. >>> >>> Any plans to support RFC2307AIX schema ? >> > No. > > >> On AIX, IBM officially supports only AIX, RFC2307, and RFC2307AIX >>> schemas. AIX's automounter does support RFC2307bis automount maps but >>> the rest of the system does not support RFC2307bis. In particular, AIX >>> does not understand member attribute dereference. >>> >>> >>> My question is if it is allowed to mix the compat and accounts cn for the >>> userbasedn and groupbasedn on the same unix ldap client ? No, not really. You are messing it up something that your client >>> does not understand. >>> >>> As i explained above, i could use the basic attributes in the compat tree >> for groups in order to update the AIX "groups" attribute (based on >> memberuid list). Is there anything which can break the functionality if >> the >> compat tree is used instead of the main/accounts tree or it is a >> fortunate >> coincidence that this setup works ? >> > Why you don't use compat tree for both users and groups in AIX? This is > how it was designed to be used. > Actually the compat tree was the default one configured by the ldap client, but checking the ldap structure seemed more logical to use the default ipa ldap tree which is used as well for Linux. Moreover i did not understood what is exactly the purpose of the compat tree and i was quite confused . Apart from that i missed some krb* related attributes for the user, but probably i have to re-evaluate that and use compat tree for both users and groups, if that's what it was designed for. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] compat and nested groups for Unix system
On ma, 20 maalis 2017, Lukas Slebodnik wrote: On (20/03/17 17:00), Alexander Bokovoy wrote: On ma, 20 maalis 2017, Iulian Roman wrote: Hello, I noticed that nested group feature do not work with the unix ldap clients (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used. If i use the cn=compat and change the mapping the nested groups are listed properly. Compat tree implements RFC2307 schema which doesn't have nested groups. Main tree in FreeIPA uses RFC2307bis schema which supports nested groups. But "Compat tree" is generated from "Main tree". Therefore users must have the same groups in both cases. They are, for POSIX groups. RFC2307bis allows you to have arbitrary nested groups, RFC2307 only handles POSIX groups. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] compat and nested groups for Unix system
On Mon, Mar 20, 2017 at 4:00 PM, Alexander Bokovoy wrote: > On ma, 20 maalis 2017, Iulian Roman wrote: > >> Hello, >> >> I noticed that nested group feature do not work with the unix ldap clients >> (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used. >> If >> i use the cn=compat and change the mapping the nested groups are listed >> properly. >> > Compat tree implements RFC2307 schema which doesn't have nested groups. > Correct, but although the groups under the compat tree do not have the nestedgroup object class attribute, whenever i change the group membership via WEB UI, the compat tree group membership is automatically updated (new memberUid is added). What i've done was a sort of workaround and map the AIX groups attribute to the memberUid which seems to work properly. > Main tree in FreeIPA uses RFC2307bis schema which supports nested > groups. > > Any plans to support RFC2307AIX schema ? > On AIX, IBM officially supports only AIX, RFC2307, and RFC2307AIX > schemas. AIX's automounter does support RFC2307bis automount maps but > the rest of the system does not support RFC2307bis. In particular, AIX > does not understand member attribute dereference. > > > My question is if it is allowed to mix the compat and accounts cn for the >> userbasedn and groupbasedn on the same unix ldap client ? >> > No, not really. You are messing it up something that your client > does not understand. > As i explained above, i could use the basic attributes in the compat tree for groups in order to update the AIX "groups" attribute (based on memberuid list). Is there anything which can break the functionality if the compat tree is used instead of the main/accounts tree or it is a fortunate coincidence that this setup works ? > > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] compat and nested groups for Unix system
On ma, 20 maalis 2017, Iulian Roman wrote: On Mon, Mar 20, 2017 at 4:00 PM, Alexander Bokovoy wrote: On ma, 20 maalis 2017, Iulian Roman wrote: Hello, I noticed that nested group feature do not work with the unix ldap clients (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used. If i use the cn=compat and change the mapping the nested groups are listed properly. Compat tree implements RFC2307 schema which doesn't have nested groups. Correct, but although the groups under the compat tree do not have the nestedgroup object class attribute, whenever i change the group membership via WEB UI, the compat tree group membership is automatically updated (new memberUid is added). What i've done was a sort of workaround and map the AIX groups attribute to the memberUid which seems to work properly. memberUid is uidNumber of corresponding user, not a group identifier. Perhaps, you are trying to explain something else? Main tree in FreeIPA uses RFC2307bis schema which supports nested groups. Any plans to support RFC2307AIX schema ? No. On AIX, IBM officially supports only AIX, RFC2307, and RFC2307AIX schemas. AIX's automounter does support RFC2307bis automount maps but the rest of the system does not support RFC2307bis. In particular, AIX does not understand member attribute dereference. My question is if it is allowed to mix the compat and accounts cn for the userbasedn and groupbasedn on the same unix ldap client ? No, not really. You are messing it up something that your client does not understand. As i explained above, i could use the basic attributes in the compat tree for groups in order to update the AIX "groups" attribute (based on memberuid list). Is there anything which can break the functionality if the compat tree is used instead of the main/accounts tree or it is a fortunate coincidence that this setup works ? Why you don't use compat tree for both users and groups in AIX? This is how it was designed to be used. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] compat and nested groups for Unix system
On (20/03/17 17:00), Alexander Bokovoy wrote: >On ma, 20 maalis 2017, Iulian Roman wrote: >> Hello, >> >> I noticed that nested group feature do not work with the unix ldap clients >> (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used. If >> i use the cn=compat and change the mapping the nested groups are listed >> properly. >Compat tree implements RFC2307 schema which doesn't have nested groups. > >Main tree in FreeIPA uses RFC2307bis schema which supports nested >groups. > But "Compat tree" is generated from "Main tree". Therefore users must have the same groups in both cases. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] compat and nested groups for Unix system
On ma, 20 maalis 2017, Iulian Roman wrote: Hello, I noticed that nested group feature do not work with the unix ldap clients (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used. If i use the cn=compat and change the mapping the nested groups are listed properly. Compat tree implements RFC2307 schema which doesn't have nested groups. Main tree in FreeIPA uses RFC2307bis schema which supports nested groups. On AIX, IBM officially supports only AIX, RFC2307, and RFC2307AIX schemas. AIX's automounter does support RFC2307bis automount maps but the rest of the system does not support RFC2307bis. In particular, AIX does not understand member attribute dereference. My question is if it is allowed to mix the compat and accounts cn for the userbasedn and groupbasedn on the same unix ldap client ? No, not really. You are messing it up something that your client does not understand. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] compat and nested groups for Unix system
Hello, I noticed that nested group feature do not work with the unix ldap clients (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used. If i use the cn=compat and change the mapping the nested groups are listed properly. My question is if it is allowed to mix the compat and accounts cn for the userbasedn and groupbasedn on the same unix ldap client ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project