Re: [Freeipa-users] Groups
On 06/10/15 13:14, Rob Crittenden wrote: Sean Hogan wrote: Hello, I have been rolling out an IPA deployment for IBM Watson for the past 3 months. Initially I did not want to take on application ids (linux OS Ids owning apps). I now have to so I have created the accounts in IPA however new files created by user wdadeploy are being created with wdadeploy:wdadeploy where the app team wants new files owned wdadeploy:wdaadmins. Is there a way to accomplish this? I wanted the application IDs to stay local but they want to see if this works. By default IPA creates users with a user-private group. This is a POSIX group that cannot have members with the same name as the user (and the UID and GID will match). SSSD gets the primary group from the GID attribute in the user so you have a couple of options that I can see: 1. Modify the user to set the GID to the GID of wdaadmins 2. 1. and also detach the private group from the user since it isn't being used any more (and you can delete it if you know you'll never use it). Note that once detached it can never be re-attached (or not via any IPA-provided tools anyway). Now strictly speaking I don't think that wdadeploy needs to be a member of wdaadmins for this to work but that would probably be quite confusing in the long-run. Use the id command to confirm that the gid resolves to wdaadmins. Another option is to keep stuff as it is in IPA and use file system default ACLs so that wdaadmins get read/write or whatever access on the files wdadeploy creates. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Groups
Sean Hogan wrote: > Hello, > > I have been rolling out an IPA deployment for IBM Watson for the past 3 > months. Initially I did not want to take on application ids (linux OS > Ids owning apps). I now have to so I have created the accounts in IPA > however new files created by user wdadeploy are being created with > wdadeploy:wdadeploy where the app team wants new files owned > wdadeploy:wdaadmins. Is there a way to accomplish this? I wanted the > application IDs to stay local but they want to see if this works. By default IPA creates users with a user-private group. This is a POSIX group that cannot have members with the same name as the user (and the UID and GID will match). SSSD gets the primary group from the GID attribute in the user so you have a couple of options that I can see: 1. Modify the user to set the GID to the GID of wdaadmins 2. 1. and also detach the private group from the user since it isn't being used any more (and you can delete it if you know you'll never use it). Note that once detached it can never be re-attached (or not via any IPA-provided tools anyway). Now strictly speaking I don't think that wdadeploy needs to be a member of wdaadmins for this to work but that would probably be quite confusing in the long-run. Use the id command to confirm that the gid resolves to wdaadmins. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] groups migration
On Tue, Jun 19, 2012 at 3:19 PM, Rob Crittenden rcrit...@redhat.com wrote: Pass in --schema=RFC2307 to the migrate-ds command to migrate these groups. Thank you Rob. I tried this option and it didn't helped, my groups in ipa are steel empty :(. regards, Maciej Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration
Maciej Sawicki wrote: On Tue, Jun 19, 2012 at 3:19 PM, Rob Crittendenrcrit...@redhat.com wrote: Pass in --schema=RFC2307 to the migrate-ds command to migrate these groups. Thank you Rob. I tried this option and it didn't helped, my groups in ipa are steel empty :(. regards, Maciej Sawicki It won't re-migrate a group once it is added. Did you remove the group in IPA before trying again? I did a quickie test using a current build from master (what will become 3.0) and it worked ok. We haven't done any migration changes since 2.2 so it should be the same code. What version and platform are you using? The command-line I used was: # ipa migrate-ds ldap://pogo.example.com:3389 --schema=RFC2307 --with- compat My data was: dn: uid=user1,ou=People,dc=greyoak,dc=com objectclass: top objectclass: posixaccount objectclass: inetorgperson sn: User givenname: test uid: user1 uidnumber: 1 gidnumber: 10001 loginshell: /bin/sh homedirectory: /home/user1 cn: Test User dn: uid=user2,ou=People,dc=greyoak,dc=com objectclass: top objectclass: posixaccount objectclass: inetorgperson sn: User givenname: test uid: user2 uidnumber: 10003 gidnumber: 10004 loginshell: /bin/sh homedirectory: /home/user2 cn: Test User 2 dn: uid=user3,ou=People,dc=greyoak,dc=com objectclass: top objectclass: posixaccount objectclass: inetorgperson sn: User givenname: test uid: user3 uidnumber: 10005 gidnumber: 10006 loginshell: /bin/sh homedirectory: /home/user3 cn: Test User 3 dn: cn=schema,ou=Groups,dc=greyoak,dc=com objectClass: top objectClass: groupOfUniqueNames objectClass: posixgroup cn: schema ou: groups gidnumber: 10004 description: People who can manage engineer entries memberUid: user1 memberUid: user2 memberUid: user3 # ipa group-show schema Group name: schema Description: People who can manage engineer entries GID: 10004 Member users: user1, user2, user3 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration
On Mon, Jun 18, 2012 at 7:24 PM, Rob Crittenden rcrit...@redhat.com wrote If you could provide an ldif for one of the groups to be migrated we can tell you. dn: cn=management-team,ou=groups,dc=domain,dc=com objectClass: posixGroup cn: management-team gidNumber: 10004 description: Management team of SomeCompany memberUid: some.user0 memberUid: some.user1 memberUid: some.user2 regards, Maciej Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration
On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki maciej.sawi...@polidea.pl wrote: Hi, I (almost) managed to migrate groups from my previous server. That is groups names migrated perfectly, unfortunately when I login to web panel all groups are empty. I used following command: ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=domain,dc=com --group-container='ou=groups' --group-objectclas='posixGroup' I will appreciate any help. I think the problem is that my current installation use memberUid attribute in group object and free-ipa uses memberUid in user object. I find the compatibility plugin so I think after migration it will allow me to use IPA in legacy environment. The problem is how to preform migration? Can I use migrate script for this or should I write my own? regards, Maciek Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration
Maciej Sawicki wrote: On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki maciej.sawi...@polidea.pl wrote: Hi, I (almost) managed to migrate groups from my previous server. That is groups names migrated perfectly, unfortunately when I login to web panel all groups are empty. I used following command: ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=domain,dc=com --group-container='ou=groups' --group-objectclas='posixGroup' I will appreciate any help. I think the problem is that my current installation use memberUid attribute in group object and free-ipa uses memberUid in user object. I find the compatibility plugin so I think after migration it will allow me to use IPA in legacy environment. The problem is how to preform migration? Can I use migrate script for this or should I write my own? Pass in --schema=RFC2307 to the migrate-ds command to migrate these groups. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration
On Thu, Jun 14, 2012 at 8:00 PM, Simo Sorce s...@redhat.com wrote: On Thu, 2012-06-14 at 15:34 +0200, Maciej Sawicki wrote: bump On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki maciej.sawi...@polidea.pl wrote: Hi, I (almost) managed to migrate groups from my previous server. That is groups names migrated perfectly, unfortunately when I login to web panel all groups are empty. I used following command: ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=domain,dc=com --group-container='ou=groups' --group-objectclas='posixGroup' I will appreciate any help. Hi Maciej, what kind of schema is in used in the server you want to migrate from ? rfc2309/rfc2309bis ? other ? I think its rfc2307: maciej.sawicki@lem:/etc/ldap$ grep -r 2307 schema/nis.schema # Definitions from RFC2307 (Experimental) # Note: The definitions in RFC2307 are given in syntaxes closely related # i.e. nisSchema in RFC2307 is 1.3.6.1.1.1 maciej.sawicki@lem:/etc/ldap$ Is there any better way to check this? Some more info about ipa server: os: Fedora 17 ipa version: 2.2 regards, Maciej Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration
Maciej Sawicki wrote: On Thu, Jun 14, 2012 at 8:00 PM, Simo Sorces...@redhat.com wrote: On Thu, 2012-06-14 at 15:34 +0200, Maciej Sawicki wrote: bump On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki maciej.sawi...@polidea.pl wrote: Hi, I (almost) managed to migrate groups from my previous server. That is groups names migrated perfectly, unfortunately when I login to web panel all groups are empty. I used following command: ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=domain,dc=com --group-container='ou=groups' --group-objectclas='posixGroup' I will appreciate any help. Hi Maciej, what kind of schema is in used in the server you want to migrate from ? rfc2309/rfc2309bis ? other ? I think its rfc2307: maciej.sawicki@lem:/etc/ldap$ grep -r 2307 schema/nis.schema # Definitions from RFC2307 (Experimental) # Note: The definitions in RFC2307 are given in syntaxes closely related # i.e. nisSchema in RFC2307 is 1.3.6.1.1.1 maciej.sawicki@lem:/etc/ldap$ Is there any better way to check this? Some more info about ipa server: os: Fedora 17 ipa version: 2.2 If you could provide an ldif for one of the groups to be migrated we can tell you. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration
On Thu, 2012-06-14 at 15:34 +0200, Maciej Sawicki wrote: bump On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki maciej.sawi...@polidea.pl wrote: Hi, I (almost) managed to migrate groups from my previous server. That is groups names migrated perfectly, unfortunately when I login to web panel all groups are empty. I used following command: ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=domain,dc=com --group-container='ou=groups' --group-objectclas='posixGroup' I will appreciate any help. Hi Maciej, what kind of schema is in used in the server you want to migrate from ? rfc2309/rfc2309bis ? other ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration problem
On Tue, Mar 20, 2012 at 7:22 PM, Rob Crittenden rcrit...@redhat.com wrote: The basedn is automatically appended. Try --group-container=ou=groups Hi Rob, Thanks for quick answer. I tried it today. Didn't helped. [root@free-ipa ~]# ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=polidea,dc=pl --group-container='ou=groups' Password: ipa: ERROR: Container for group not found regards, Maciej Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration problem
Hi, I Solved my problem :D. I had to add --group-objectclas argument: ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=polidea,dc=pl --group-container='ou=groups' --group-objectclas='posixGroup' Anyway I think ipa: ERROR: Container for group not found error is confusing. best regards, Maciej Sawicki On Fri, Mar 23, 2012 at 11:16 AM, Maciej Sawicki maciej.sawi...@polidea.pl wrote: On Tue, Mar 20, 2012 at 7:22 PM, Rob Crittenden rcrit...@redhat.com wrote: The basedn is automatically appended. Try --group-container=ou=groups Hi Rob, Thanks for quick answer. I tried it today. Didn't helped. [root@free-ipa ~]# ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=polidea,dc=pl --group-container='ou=groups' Password: ipa: ERROR: Container for group not found regards, Maciej Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration problem
On 03/20/2012 07:22 PM, Rob Crittenden wrote: Maciej Sawicki wrote: Hi, I haven't manage to migrate ldap groups (in free ipa panel I see that users are migrated) #ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=polidea,dc=pl --group-container='ou=groups,dc=polidea,dc=pl' #ipa: ERROR: Container for group not found My old ldap setup: https://skitch.com/viroos/8miq5/ldap-ou-groups-dc-polidea-dc-pl-lem-apache-directory-studio. The basedn is automatically appended. Try --group-container=ou=groups regards rob It would be nice to include something like The basedn was automatically appended. to this kind of error messages. Another option is to print whole DN as part of error message. Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration problem
Maciej Sawicki wrote: Hi, I haven't manage to migrate ldap groups (in free ipa panel I see that users are migrated) #ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=polidea,dc=pl --group-container='ou=groups,dc=polidea,dc=pl' #ipa: ERROR: Container for group not found My old ldap setup: https://skitch.com/viroos/8miq5/ldap-ou-groups-dc-polidea-dc-pl-lem-apache-directory-studio. The basedn is automatically appended. Try --group-container=ou=groups regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users