[Freeipa-users] Openldap to IPA migration confusion
Qing Chang
qchang at sri.utoronto.ca
Fri Jul 20 20:56:03 UTC 2012
Greetings,
Migration from OpedLDAP to IPA creates a pair of subtrees for both users and groups:
compat and accounts, use groups as an example:
dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca
dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca
IPA web GUI does not show "memberUid" attribute, although it is migrated correctly,
by adding a user to the group in the web GUI, it reveals that member is added to both
compat and accounts, but differently:
accounts: member: uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
compat: memberUid: qchang
It also reveals that GUI does not display anything for "compat" tree, but I can use
ldap tools to show compat entries.
My questions:
1, why do we have two trees created? I vaguely remember that it is mentioned that
compat is for support of IPA as an NIS proxy?
2, Can the migration script be modified to convert "memberUid" to "member" for
accounts tree? Or can I modify it manually and load the tree with ldapmod without
breaking IPA?
3, What does Samba use, compat or accounts? I do have a Samba server setup as
an IPA client and it works very well, but I don't seem to be able to find a place
to specify either compat or accounts for user and group look up, I assume IPA
client libraries take care of it. In fact there is no entries that are related to LDAP
in my smb.conf, there is only a few lines related to IPA/Kerberos:
=====
security = user
passdb backend = smbpasswd
# Kerberos options
realm = SRI.UTORONTO.CA
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
=====
Thanks in advance!
Qing
More information about the Freeipa-users
mailing list