[Freeipa-users] Openldap to IPA migration confusion

Qing Chang qchang at sri.utoronto.ca
Mon Jul 23 18:35:02 UTC 2012 


On 20/07/2012 5:14 PM, Rob Crittenden wrote:
> Qing Chang wrote:
>> Greetings,
>>
>> Migration from OpedLDAP to IPA creates a pair of subtrees for both users
>> and groups:
>> compat and accounts, use groups as an example:
>> dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca
>> dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca
>>
>> IPA web GUI does not show  "memberUid" attribute, although it is
>> migrated correctly,
>> by adding a user to the group in the web GUI, it reveals that member is
>> added to both
>> compat and accounts, but differently:
>> accounts: member: uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
>> compat: memberUid: qchang
>>
>> It also reveals that GUI does not display anything for "compat" tree,
>> but I can use
>> ldap tools to show compat entries.
>> My questions:
>> 1, why do we have two trees created? I vaguely remember that it is
>> mentioned that
>>      compat is for support of IPA as an NIS proxy?
>
> cn=compat is a view of the data in rfc2307-compatible format (so memberUid instead of member). It 
> isn't a separate copy.
>
> It is so clients that don't support 2307bis can still authenticate and identify users using nss_ldap.
>
>> 2, Can the migration script be modified to convert "memberUid" to
>> "member" for
>>      accounts tree? Or can I modify it manually and load the tree with
>> ldapmod without
>>      breaking IPA?
>
> It already can, see the --schema option.
>
it says:
  --schema=['RFC2307bis', 'RFC2307']
                         The schema used on the LDAP server. Supported values
                         are RFC2307 and RFC2307bis. The default is RFC2307bis

I assume I am using the default. Does this mean that I should use RFC2307 instead?
It does not make much sense to me because my OpenLDAP server is using
RFC2307 if I understand your comments above right.

Thanks,
Qing
>> 3, What does Samba use, compat or accounts? I do have a Samba server
>> setup as
>>      an IPA client and it works very well, but I don't seem to be able
>> to find a place
>>      to specify either compat or accounts for user and group look up, I
>> assume IPA
>>      client libraries take care of it. In fact there is no entries that
>> are related to LDAP
>>      in my smb.conf, there is only a few lines related to IPA/Kerberos:
>> =====
>>          security = user
>>          passdb backend = smbpasswd
>>
>> # Kerberos options
>>          realm = SRI.UTORONTO.CA
>>          kerberos method = dedicated keytab
>>          dedicated keytab file = /etc/krb5.keytab
>> =====
>
> I'm not familiar with configure Samba with an ldap backend, maybe someone else will chime in.
>
> rob

More information about the Freeipa-users mailing list