[Freeipa-users] Openldap to IPA migration confusion

Rob Crittenden rcritten at redhat.com
Mon Jul 23 19:33:47 UTC 2012 

Qing Chang wrote:
>
>
> On 20/07/2012 5:14 PM, Rob Crittenden wrote:
>> Qing Chang wrote:
>>> Greetings,
>>>
>>> Migration from OpedLDAP to IPA creates a pair of subtrees for both users
>>> and groups:
>>> compat and accounts, use groups as an example:
>>> dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca
>>> dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca
>>>
>>> IPA web GUI does not show  "memberUid" attribute, although it is
>>> migrated correctly,
>>> by adding a user to the group in the web GUI, it reveals that member is
>>> added to both
>>> compat and accounts, but differently:
>>> accounts: member:
>>> uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
>>> compat: memberUid: qchang
>>>
>>> It also reveals that GUI does not display anything for "compat" tree,
>>> but I can use
>>> ldap tools to show compat entries.
>>> My questions:
>>> 1, why do we have two trees created? I vaguely remember that it is
>>> mentioned that
>>>      compat is for support of IPA as an NIS proxy?
>>
>> cn=compat is a view of the data in rfc2307-compatible format (so
>> memberUid instead of member). It isn't a separate copy.
>>
>> It is so clients that don't support 2307bis can still authenticate and
>> identify users using nss_ldap.
>>
>>> 2, Can the migration script be modified to convert "memberUid" to
>>> "member" for
>>>      accounts tree? Or can I modify it manually and load the tree with
>>> ldapmod without
>>>      breaking IPA?
>>
>> It already can, see the --schema option.
>>
> it says:
>   --schema=['RFC2307bis', 'RFC2307']
>                          The schema used on the LDAP server. Supported
> values
>                          are RFC2307 and RFC2307bis. The default is
> RFC2307bis
>
> I assume I am using the default. Does this mean that I should use
> RFC2307 instead?
> It does not make much sense to me because my OpenLDAP server is using
> RFC2307 if I understand your comments above right.

If the LDAP server you are migrating from is using RFC2307 (e.g. 
memberUid in the groups to specify membership) then use --schema=RFC2307.

You are specifying the remote schema, not the local schema.

rob

More information about the Freeipa-users mailing list