[Freeipa-users] one step away from having freeipa work with vsphere ldap

[Gianluca Cecchi]

Hello,
I'm quite near to have users and groups working using ipa 3.3 as in CentOS
7 as this gives ability to do binds against compat tree.
This is with the use of schema compatibility

The last step I need is getting components of groups so that vSphere con
enforce group membership permission over user set.

The query from vsphere after my modifications when it searches for users
belonging to groups is sort of

ldapsearch -x -b "cn=groups,cn=compat,dc=localdomain,dc=local"
"(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=gcecchi,cn=users,cn=compat,dc=localdomain,dc=local))"

so I provided ldif modification for cn=groups, cn=compat this way

schema-compat-entry-attribute: uniqueMember=%{member}

but this produces somthing like this when I query for example a created
group named esxpower to be used for power users

# esxpower, groups, compat, localdomain.local
dn: cn=esxpower,cn=groups,cn=compat,dc=localdomain,dc=local
objectClass: posixGroup
objectClass: groupOfUniqueNames
objectClass: top
gidNumber: 1639600006
memberUid: gcecchi
memberUid: vadmin
uniqueMember: uid=gcecchi,cn=users,cn=accounts,dc=localdomain,dc=local
uniqueMember: uid=vadmin,cn=users,cn=accounts,dc=localdomain,dc=local
cn: esxpower

so the problem is I have to change the entry
schema-compat-entry-attribute: uniqueMember=%{member}

with a sort of function that gives cn=compat instead of cn=accounts in the
line
uniqueMember: uid=gcecchi,cn=users,cn=accounts,dc=localdomain,dc=local

I read also /usr/share/doc/slapi-nis-0.52/format-specifiers.txt
but I didn't come to a sort of "substitute" function so that I can change
%{member} with the same but with "compat" word instead of "accounts"

I plan to detail all my steps once I can accomplish this.

Thanks in advance,

Gianluca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141207/7be14fb4/attachment.htm>