[Freeipa-users] one step away from having freeipa work with vsphere ldap

Gianluca Cecchi gianluca.cecchi at gmail.com
Sun Dec 7 18:29:27 UTC 2014 

On Sun, Dec 7, 2014 at 3:44 PM, Gianluca Cecchi <gianluca.cecchi at gmail.com>
wrote:

> Hello,
> I'm quite near to have users and groups working using ipa 3.3 as in CentOS
> 7 as this gives ability to do binds against compat tree.
> This is with the use of schema compatibility
>
> The last step I need is getting components of groups so that vSphere con
> enforce group membership permission over user set.
>
> The query from vsphere after my modifications when it searches for users
> belonging to groups is sort of
>
> ldapsearch -x -b "cn=groups,cn=compat,dc=localdomain,dc=local"
> "(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=gcecchi,cn=users,cn=compat,dc=localdomain,dc=local))"
>
> so I provided ldif modification for cn=groups, cn=compat this way
>
> schema-compat-entry-attribute: uniqueMember=%{member}
>
> but this produces somthing like this when I query for example a created
> group named esxpower to be used for power users
>
> # esxpower, groups, compat, localdomain.local
> dn: cn=esxpower,cn=groups,cn=compat,dc=localdomain,dc=local
> objectClass: posixGroup
> objectClass: groupOfUniqueNames
> objectClass: top
> gidNumber: 1639600006
> memberUid: gcecchi
> memberUid: vadmin
> uniqueMember: uid=gcecchi,cn=users,cn=accounts,dc=localdomain,dc=local
> uniqueMember: uid=vadmin,cn=users,cn=accounts,dc=localdomain,dc=local
> cn: esxpower
>
> so the problem is I have to change the entry
> schema-compat-entry-attribute: uniqueMember=%{member}
>
> with a sort of function that gives cn=compat instead of cn=accounts in the
> line
> uniqueMember: uid=gcecchi,cn=users,cn=accounts,dc=localdomain,dc=local
>
> I read also /usr/share/doc/slapi-nis-0.52/format-specifiers.txt
> but I didn't come to a sort of "substitute" function so that I can change
> %{member} with the same but with "compat" word instead of "accounts"
>
> I plan to detail all my steps once I can accomplish this.
>
> Thanks in advance,
>
> Gianluca
>
>

Tried with
schema-compat-entry-attribute:
uniqueMember=%regsub("%{member}","^(.*)accounts(.*)","%1compat%2")

but it seems it works with some groups (the system groups) but not with the
other ones I have created...

ldapsearch -x -b "cn=groups,cn=compat,dc=localdomain,dc=local"

gives

# admins, groups, compat, localdomain.local
dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local
objectClass: posixGroup
objectClass: groupOfUniqueNames
objectClass: top
gidNumber: 1639600000
memberUid: admin
uniqueMember: uid=admin,cn=users,cn=compat,dc=localdomain,dc=local
cn: admins


but in esxpower group I see only the memberUid entry and not the
uniqueMember entry

# esxpower, groups, compat, localdomain.local
dn: cn=esxpower,cn=groups,cn=compat,dc=localdomain,dc=local
objectClass: posixGroup
objectClass: groupOfUniqueNames
objectClass: top
gidNumber: 1639600006
memberUid: gcecchi
memberUid: vadmin
cn: esxpower

Gianluca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141207/d344cb9d/attachment.htm>

More information about the Freeipa-users mailing list