[Freeipa-users] Serving RFC2307 to OS X clients
Nalin Dahyabhai
nalin at redhat.com
Thu Jun 7 22:46:48 UTC 2012
On Thu, Jun 07, 2012 at 05:56:14PM -0400, Ian Levesque wrote:
> On Jun 7, 2012, at 5:44 PM, Nalin Dahyabhai wrote:
>
> > ldapsearch -h sbgrid-directory -Y GSSAPI \
> > -b "cn=Schema Compatibility,cn=plugins,cn=config" \
> > nsslapd-pluginEnabled
> >
> > The results should look like this:
> >
> > dn: cn=Schema Compatibility,cn=plugins,cn=config
> > nsslapd-pluginEnabled: off
> >
> > dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
> >
> > dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
> >
> > dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
> >
> > dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>
> Hmm, I only get this:
>
> dn: cn=Schema Compatibility,cn=plugins,cn=config
> nsslapd-pluginEnabled: on
>
> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
>
> This is ipa-server-2.1.3-9.el6.x86_64 on RHEL 6.2
I don't have an explanation for how it got that way, but you're missing
some entries, and that probably explains why you don't see compat data
for groups.
I'm attaching the LDIF for these entries from my test server, with the
suffix changed from the one I'm using to yours. The 'cn=users',
'cn=groups', and 'cn=ng' entries should be accepted without issue by
'ldapadd -c', but it will balk at the 'cn=sudoers' entry, since you
already have one.
Normally that'd be the right thing, but if your 'cn=sudoers' entry looks
different from the one in the LDIF file, you may want to change it as
well by using 'ldapmodify'.
HTH,
Nalin
-------------- next part --------------
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
schema-compat-entry-attribute: objectclass=posixGroup
schema-compat-entry-attribute: gidNumber=%{gidNumber}
schema-compat-entry-attribute: memberUid=%{memberUid}
schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
cn: groups
objectClass: top
objectClass: extensibleObject
schema-compat-search-filter: objectclass=posixGroup
schema-compat-container-rdn: cn=groups
schema-compat-entry-rdn: cn=%{cn}
schema-compat-search-base: cn=groups, cn=accounts, dc=sbgrid,dc=org
schema-compat-container-group: cn=compat, dc=sbgrid,dc=org
dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
schema-compat-entry-attribute: objectclass=nisNetgroup
schema-compat-entry-attribute: memberNisNetgroup=%deref_r("member","cn")
schema-compat-entry-attribute: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\
",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHo
st\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\
\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\
\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\
",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\
\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r
(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\
")","-"),%{nisDomainName:-})
schema-compat-check-access: yes
cn: ng
objectClass: top
objectClass: extensibleObject
schema-compat-search-filter: (objectclass=ipaNisNetgroup)
schema-compat-container-rdn: cn=ng
schema-compat-entry-rdn: cn=%{cn}
schema-compat-search-base: cn=ng, cn=alt, dc=sbgrid,dc=org
schema-compat-container-group: cn=compat, dc=sbgrid,dc=org
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
schema-compat-entry-attribute: objectclass=sudoRole
schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%{ex
ternalUser}")
schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%der
ef_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")
schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%der
ef_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)
))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\
"uid\")")
schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%%%d
eref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")")
schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","+%de
ref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")
schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{ex
ternalHost}")
schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%der
ef_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")
schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%der
ef_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEn
try)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"
fqdn\")")
schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%de
ref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntr
y))\",\"cn\")")
schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%de
ref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")
schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%d
eref(\"memberAllowCmd\",\"sudoCmd\")")
schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%d
eref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")
schema-compat-entry-attribute: sudoCommand=!%deref("memberDenyCmd","sudoCmd")
schema-compat-entry-attribute: sudoCommand=!%deref_r("memberDenyCmd","member",
"sudoCmd")
schema-compat-entry-attribute: sudoRunAsUser=%{ipaSudoRunAsExtUser}
schema-compat-entry-attribute: sudoRunAsUser=%deref("ipaSudoRunAs","uid")
schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory",
"all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")
")
schema-compat-entry-attribute: sudoRunAsGroup=%{ipaSudoRunAsExtGroup}
schema-compat-entry-attribute: sudoOption=%{ipaSudoOpt}
schema-compat-entry-attribute: sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(o
bjectclass=posixGroup)","cn")
cn: sudoers
objectClass: top
objectClass: extensibleObject
schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE
))(!(ipaEnabledFlag=FALSE)))
schema-compat-entry-rdn: cn=%{cn}
schema-compat-search-base: cn=sudorules, cn=sudo, dc=sbgrid,dc=org
schema-compat-container-group: ou=SUDOers, dc=sbgrid,dc=org
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
schema-compat-entry-attribute: objectclass=posixAccount
schema-compat-entry-attribute: gecos=%{cn}
schema-compat-entry-attribute: cn=%{cn}
schema-compat-entry-attribute: uidNumber=%{uidNumber}
schema-compat-entry-attribute: gidNumber=%{gidNumber}
schema-compat-entry-attribute: loginShell=%{loginShell}
schema-compat-entry-attribute: homeDirectory=%{homeDirectory}
cn: users
objectClass: top
objectClass: extensibleObject
schema-compat-search-filter: objectclass=posixAccount
schema-compat-container-rdn: cn=users
schema-compat-entry-rdn: uid=%{uid}
schema-compat-search-base: cn=users, cn=accounts, dc=sbgrid,dc=org
schema-compat-container-group: cn=compat, dc=sbgrid,dc=org
More information about the Freeipa-users
mailing list