[Freeipa-devel] [PATCH 200] slapi-nis: update configuration to allow external members

Alexander Bokovoy abokovoy at redhat.com
Mon Feb 22 17:14:55 UTC 2016 

On Mon, 22 Feb 2016, Tomas Babej wrote:
>
>
>On 02/22/2016 11:48 AM, Alexander Bokovoy wrote:
>> Hi,
>>
>> attached patch should update compat tree configuration if it exist to
>> follow slapi-nis 0.55 which has support for external members of IPA
>> groups.
>>
>> However, the real work is done in SSSD. These patches are not upstreamed
>> yet. We'll need to bump SSSD dependency in future once they come to
>> distros.
>>
>>
>>
>
>This looks good.
>
>However, the new update file needs to be added to Makefile.am.
>Additionally, patch adds a whitespace error.
Updated patch is attached.

-- 
/ Alexander Bokovoy
-------------- next part --------------
From 6d50894c6ac2cf7f32b152bd09c16cde2fc327fb Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Mon, 22 Feb 2016 12:40:03 +0200
Subject: [PATCH] slapi-nis: update configuration to allow external members of
 IPA groups

Currently in an environment with trust to AD the compat tree does not
show AD users as members of IPA groups. The reason is that IPA groups
are read directly from the IPA DS tree and external groups are not
handled.

slapi-nis project has added support for it in 0.55, make sure we update
configuration for the group map if it exists and depend on 0.55 version.

https://fedorahosted.org/freeipa/ticket/4403
---
 freeipa.spec.in                           | 2 +-
 install/updates/50-externalmembers.update | 3 +++
 install/updates/Makefile.am               | 1 +
 3 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 install/updates/50-externalmembers.update

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 54a11bf..0b14bdc 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -153,7 +153,7 @@ Requires(pre): systemd-units
 Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
-Requires: slapi-nis >= 0.54.2-1
+Requires: slapi-nis >= 0.55-1
 Requires: pki-ca >= 10.2.6-13
 Requires: pki-kra >= 10.2.6-13
 Requires(preun): python systemd-units
diff --git a/install/updates/50-externalmembers.update b/install/updates/50-externalmembers.update
new file mode 100644
index 0000000..6b9c5dd
--- /dev/null
+++ b/install/updates/50-externalmembers.update
@@ -0,0 +1,3 @@
+dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
+addifexist: schema-compat-entry-attribute: ipaexternalmember=%deref_r("member","ipaexternalmember")
+addifexist: schema-compat-entry-attribute: objectclass=ipaexternalgroup
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index b04ab48..3edc214 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -45,6 +45,7 @@ app_DATA =				\
 	50-krbenctypes.update		\
 	50-nis.update			\
 	50-ipaconfig.update		\
+	50-externalmembers.update	\
 	55-pbacmemberof.update		\
 	59-trusts-sysacount.update	\
 	60-trusts.update		\
-- 
2.5.0

More information about the Freeipa-devel mailing list