[Freeipa-users] Openldap to IPA migration confusion

Rob Crittenden rcritten at redhat.com
Fri Jul 20 21:14:58 UTC 2012 

Qing Chang wrote:
> Greetings,
>
> Migration from OpedLDAP to IPA creates a pair of subtrees for both users
> and groups:
> compat and accounts, use groups as an example:
> dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca
> dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca
>
> IPA web GUI does not show  "memberUid" attribute, although it is
> migrated correctly,
> by adding a user to the group in the web GUI, it reveals that member is
> added to both
> compat and accounts, but differently:
> accounts: member: uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
> compat: memberUid: qchang
>
> It also reveals that GUI does not display anything for "compat" tree,
> but I can use
> ldap tools to show compat entries.
> My questions:
> 1, why do we have two trees created? I vaguely remember that it is
> mentioned that
>      compat is for support of IPA as an NIS proxy?

cn=compat is a view of the data in rfc2307-compatible format (so 
memberUid instead of member). It isn't a separate copy.

It is so clients that don't support 2307bis can still authenticate and 
identify users using nss_ldap.

> 2, Can the migration script be modified to convert "memberUid" to
> "member" for
>      accounts tree? Or can I modify it manually and load the tree with
> ldapmod without
>      breaking IPA?

It already can, see the --schema option.

> 3, What does Samba use, compat or accounts? I do have a Samba server
> setup as
>      an IPA client and it works very well, but I don't seem to be able
> to find a place
>      to specify either compat or accounts for user and group look up, I
> assume IPA
>      client libraries take care of it. In fact there is no entries that
> are related to LDAP
>      in my smb.conf, there is only a few lines related to IPA/Kerberos:
> =====
>          security = user
>          passdb backend = smbpasswd
>
> # Kerberos options
>          realm = SRI.UTORONTO.CA
>          kerberos method = dedicated keytab
>          dedicated keytab file = /etc/krb5.keytab
> =====

I'm not familiar with configure Samba with an ldap backend, maybe 
someone else will chime in.

rob

More information about the Freeipa-users mailing list