Re: [Freeipa-users] Groups

2015-10-06 Thread Simo Sorce

On 06/10/15 13:14, Rob Crittenden wrote:

Sean Hogan wrote:

Hello,

I have been rolling out an IPA deployment for IBM Watson for the past 3
months. Initially I did not want to take on application ids (linux OS
Ids owning apps). I now have to so I have created the accounts in IPA
however new files created by user wdadeploy are being created with
wdadeploy:wdadeploy where the app team wants new files owned
wdadeploy:wdaadmins. Is there a way to accomplish this? I wanted the
application IDs to stay local but they want to see if this works.


By default IPA creates users with a user-private group. This is a POSIX
group that cannot have members with the same name as the user (and the
UID and GID will match).

SSSD gets the primary group from the GID attribute in the user so you
have a couple of options that I can see:

1. Modify the user to set the GID to the GID of wdaadmins
2. 1. and also detach the private group from the user since it isn't
being used any more (and you can delete it if you know you'll never use
it). Note that once detached it can never be re-attached (or not via any
IPA-provided tools anyway).

Now strictly speaking I don't think that wdadeploy needs to be a member
of wdaadmins for this to work but that would probably be quite confusing
in the long-run.

Use the id command to confirm that the gid resolves to wdaadmins.


Another option is to keep stuff as it is in IPA and use file system 
default ACLs so that wdaadmins get read/write or whatever access on the 
files wdadeploy creates.


Simo.


--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Groups

2015-10-06 Thread Rob Crittenden
Sean Hogan wrote:
> Hello,
> 
> I have been rolling out an IPA deployment for IBM Watson for the past 3
> months. Initially I did not want to take on application ids (linux OS
> Ids owning apps). I now have to so I have created the accounts in IPA
> however new files created by user wdadeploy are being created with
> wdadeploy:wdadeploy where the app team wants new files owned
> wdadeploy:wdaadmins. Is there a way to accomplish this? I wanted the
> application IDs to stay local but they want to see if this works.

By default IPA creates users with a user-private group. This is a POSIX
group that cannot have members with the same name as the user (and the
UID and GID will match).

SSSD gets the primary group from the GID attribute in the user so you
have a couple of options that I can see:

1. Modify the user to set the GID to the GID of wdaadmins
2. 1. and also detach the private group from the user since it isn't
being used any more (and you can delete it if you know you'll never use
it). Note that once detached it can never be re-attached (or not via any
IPA-provided tools anyway).

Now strictly speaking I don't think that wdadeploy needs to be a member
of wdaadmins for this to work but that would probably be quite confusing
in the long-run.

Use the id command to confirm that the gid resolves to wdaadmins.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] groups migration

2012-06-21 Thread Maciej Sawicki
On Tue, Jun 19, 2012 at 3:19 PM, Rob Crittenden rcrit...@redhat.com wrote:
 Pass in --schema=RFC2307 to the migrate-ds command to migrate these groups.


Thank you Rob. I tried this option and it didn't helped, my groups in
ipa are steel empty :(.

regards,
Maciej Sawicki

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] groups migration

2012-06-21 Thread Rob Crittenden

Maciej Sawicki wrote:

On Tue, Jun 19, 2012 at 3:19 PM, Rob Crittendenrcrit...@redhat.com  wrote:

Pass in --schema=RFC2307 to the migrate-ds command to migrate these groups.



Thank you Rob. I tried this option and it didn't helped, my groups in
ipa are steel empty :(.

regards,
Maciej Sawicki


It won't re-migrate a group once it is added. Did you remove the group 
in IPA before trying again?


I did a quickie test using a current build from master (what will become 
3.0) and it worked ok. We haven't done any migration changes since 2.2 
so it should be the same code. What version and platform are you using?


The command-line I used was:

# ipa migrate-ds ldap://pogo.example.com:3389 --schema=RFC2307 --with-
compat

My data was:

dn: uid=user1,ou=People,dc=greyoak,dc=com
objectclass: top
objectclass: posixaccount
objectclass: inetorgperson
sn: User
givenname: test
uid: user1
uidnumber: 1
gidnumber: 10001
loginshell: /bin/sh
homedirectory: /home/user1
cn: Test User

dn: uid=user2,ou=People,dc=greyoak,dc=com
objectclass: top
objectclass: posixaccount
objectclass: inetorgperson
sn: User
givenname: test
uid: user2
uidnumber: 10003
gidnumber: 10004
loginshell: /bin/sh
homedirectory: /home/user2
cn: Test User 2

dn: uid=user3,ou=People,dc=greyoak,dc=com
objectclass: top
objectclass: posixaccount
objectclass: inetorgperson
sn: User
givenname: test
uid: user3
uidnumber: 10005
gidnumber: 10006
loginshell: /bin/sh
homedirectory: /home/user3
cn: Test User 3

dn: cn=schema,ou=Groups,dc=greyoak,dc=com
objectClass: top
objectClass: groupOfUniqueNames
objectClass: posixgroup
cn: schema
ou: groups
gidnumber: 10004
description: People who can manage engineer entries
memberUid: user1
memberUid: user2
memberUid: user3

# ipa group-show schema
  Group name: schema
  Description: People who can manage engineer entries
  GID: 10004
  Member users: user1, user2, user3

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] groups migration

2012-06-19 Thread Maciej Sawicki
On Mon, Jun 18, 2012 at 7:24 PM, Rob Crittenden rcrit...@redhat.com wrote

 If you could provide an ldif for one of the groups to be migrated we can
 tell you.


dn: cn=management-team,ou=groups,dc=domain,dc=com
objectClass: posixGroup
cn: management-team
gidNumber: 10004
description: Management team of SomeCompany
memberUid: some.user0
memberUid: some.user1
memberUid: some.user2

regards,
Maciej Sawicki

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] groups migration

2012-06-19 Thread Maciej Sawicki
On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki
maciej.sawi...@polidea.pl wrote:
 Hi,
 I (almost) managed to migrate groups from my previous server. That is
 groups names migrated perfectly, unfortunately when I login to web
 panel all groups are empty.

 I used following command:
 ipa migrate-ds ldap://192.168.1.125:389
 --bind-dn=cn=admin,dc=domain,dc=com --group-container='ou=groups'
 --group-objectclas='posixGroup'

 I will appreciate any help.


I think the problem is that my current installation use memberUid
attribute in group object and free-ipa uses memberUid in user
object.

I find the compatibility plugin so I think after migration it will
allow me to use IPA in legacy environment. The problem is how to
preform migration? Can I use migrate script for this or should I write
my own?

regards,
Maciek Sawicki

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] groups migration

2012-06-19 Thread Rob Crittenden

Maciej Sawicki wrote:

On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki
maciej.sawi...@polidea.pl  wrote:

Hi,
I (almost) managed to migrate groups from my previous server. That is
groups names migrated perfectly, unfortunately when I login to web
panel all groups are empty.

I used following command:
ipa migrate-ds ldap://192.168.1.125:389
--bind-dn=cn=admin,dc=domain,dc=com --group-container='ou=groups'
--group-objectclas='posixGroup'

I will appreciate any help.



I think the problem is that my current installation use memberUid
attribute in group object and free-ipa uses memberUid in user
object.

I find the compatibility plugin so I think after migration it will
allow me to use IPA in legacy environment. The problem is how to
preform migration? Can I use migrate script for this or should I write
my own?


Pass in --schema=RFC2307 to the migrate-ds command to migrate these groups.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] groups migration

2012-06-18 Thread Maciej Sawicki
On Thu, Jun 14, 2012 at 8:00 PM, Simo Sorce s...@redhat.com wrote:
 On Thu, 2012-06-14 at 15:34 +0200, Maciej Sawicki wrote:
 bump

 On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki
 maciej.sawi...@polidea.pl wrote:
  Hi,
  I (almost) managed to migrate groups from my previous server. That is
  groups names migrated perfectly, unfortunately when I login to web
  panel all groups are empty.
 
  I used following command:
  ipa migrate-ds ldap://192.168.1.125:389
  --bind-dn=cn=admin,dc=domain,dc=com --group-container='ou=groups'
  --group-objectclas='posixGroup'
 
  I will appreciate any help.
 

 Hi Maciej,
 what kind of schema is in used in the server you want to migrate from ?
 rfc2309/rfc2309bis ? other ?


I think its rfc2307:

maciej.sawicki@lem:/etc/ldap$ grep -r 2307 schema/nis.schema
# Definitions from RFC2307 (Experimental)
# Note: The definitions in RFC2307 are given in syntaxes closely related
# i.e. nisSchema in RFC2307 is 1.3.6.1.1.1
maciej.sawicki@lem:/etc/ldap$

Is there any better way to check this?

Some more info about ipa server:
os: Fedora 17
ipa version: 2.2

regards,
Maciej Sawicki

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] groups migration

2012-06-18 Thread Rob Crittenden

Maciej Sawicki wrote:

On Thu, Jun 14, 2012 at 8:00 PM, Simo Sorces...@redhat.com  wrote:

On Thu, 2012-06-14 at 15:34 +0200, Maciej Sawicki wrote:

bump

On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki
maciej.sawi...@polidea.pl  wrote:

Hi,
I (almost) managed to migrate groups from my previous server. That is
groups names migrated perfectly, unfortunately when I login to web
panel all groups are empty.

I used following command:
ipa migrate-ds ldap://192.168.1.125:389
--bind-dn=cn=admin,dc=domain,dc=com --group-container='ou=groups'
--group-objectclas='posixGroup'

I will appreciate any help.



Hi Maciej,
what kind of schema is in used in the server you want to migrate from ?
rfc2309/rfc2309bis ? other ?



I think its rfc2307:

maciej.sawicki@lem:/etc/ldap$ grep -r 2307 schema/nis.schema
# Definitions from RFC2307 (Experimental)
# Note: The definitions in RFC2307 are given in syntaxes closely related
# i.e. nisSchema in RFC2307 is 1.3.6.1.1.1
maciej.sawicki@lem:/etc/ldap$

Is there any better way to check this?

Some more info about ipa server:
os: Fedora 17
ipa version: 2.2



If you could provide an ldif for one of the groups to be migrated we can 
tell you.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] groups migration

2012-06-14 Thread Simo Sorce
On Thu, 2012-06-14 at 15:34 +0200, Maciej Sawicki wrote:
 bump
 
 On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki
 maciej.sawi...@polidea.pl wrote:
  Hi,
  I (almost) managed to migrate groups from my previous server. That is
  groups names migrated perfectly, unfortunately when I login to web
  panel all groups are empty.
 
  I used following command:
  ipa migrate-ds ldap://192.168.1.125:389
  --bind-dn=cn=admin,dc=domain,dc=com --group-container='ou=groups'
  --group-objectclas='posixGroup'
 
  I will appreciate any help.
 

Hi Maciej,
what kind of schema is in used in the server you want to migrate from ?
rfc2309/rfc2309bis ? other ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] groups migration problem

2012-03-23 Thread Maciej Sawicki
On Tue, Mar 20, 2012 at 7:22 PM, Rob Crittenden rcrit...@redhat.com wrote:
 The basedn is automatically appended. Try --group-container=ou=groups


Hi Rob,
Thanks for quick answer. I tried it today. Didn't helped.

[root@free-ipa ~]# ipa migrate-ds ldap://192.168.1.125:389
--bind-dn=cn=admin,dc=polidea,dc=pl --group-container='ou=groups'
Password:
ipa: ERROR: Container for group not found


regards,
Maciej Sawicki

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] groups migration problem

2012-03-23 Thread Maciej Sawicki
Hi,
I Solved my problem :D. I had to add  --group-objectclas argument:

ipa migrate-ds ldap://192.168.1.125:389
--bind-dn=cn=admin,dc=polidea,dc=pl --group-container='ou=groups'
--group-objectclas='posixGroup'

Anyway I think  ipa: ERROR: Container for group not found error is confusing.

best regards,
Maciej Sawicki



On Fri, Mar 23, 2012 at 11:16 AM, Maciej Sawicki
maciej.sawi...@polidea.pl wrote:
 On Tue, Mar 20, 2012 at 7:22 PM, Rob Crittenden rcrit...@redhat.com wrote:
 The basedn is automatically appended. Try --group-container=ou=groups


 Hi Rob,
 Thanks for quick answer. I tried it today. Didn't helped.

 [root@free-ipa ~]# ipa migrate-ds ldap://192.168.1.125:389
 --bind-dn=cn=admin,dc=polidea,dc=pl --group-container='ou=groups'
 Password:
 ipa: ERROR: Container for group not found
 

 regards,
 Maciej Sawicki

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] groups migration problem

2012-03-21 Thread Petr Spacek

On 03/20/2012 07:22 PM, Rob Crittenden wrote:

Maciej Sawicki wrote:

Hi,
I haven't manage to migrate ldap groups (in free ipa panel I see that
users are migrated)
#ipa migrate-ds ldap://192.168.1.125:389
--bind-dn=cn=admin,dc=polidea,dc=pl
--group-container='ou=groups,dc=polidea,dc=pl'
#ipa: ERROR: Container for group not found

My old ldap setup:
https://skitch.com/viroos/8miq5/ldap-ou-groups-dc-polidea-dc-pl-lem-apache-directory-studio.



The basedn is automatically appended. Try --group-container=ou=groups

regards

rob


It would be nice to include something like The basedn was automatically 
appended. to this kind of error messages.


Another option is to print whole DN as part of error message.

Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] groups migration problem

2012-03-20 Thread Rob Crittenden

Maciej Sawicki wrote:

Hi,
I haven't manage to migrate ldap groups (in free ipa panel I see that
users are migrated)
#ipa migrate-ds ldap://192.168.1.125:389
--bind-dn=cn=admin,dc=polidea,dc=pl
--group-container='ou=groups,dc=polidea,dc=pl'
#ipa: ERROR: Container for group not found

My old ldap setup:
https://skitch.com/viroos/8miq5/ldap-ou-groups-dc-polidea-dc-pl-lem-apache-directory-studio.


The basedn is automatically appended. Try --group-container=ou=groups

regards

rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users