[Freeipa-users] vSphere and freeIPA
Alexander Bokovoy
abokovoy at redhat.com
Tue Jun 2 07:55:05 UTC 2015
On Tue, 02 Jun 2015, Martin Kosek wrote:
>CCing Nalin and Alexander. This sounds like the slapi-nis
>configuration for generating uniqueMember attribute does not work with
>multi-valued "member" attribute:
>
>schema-compat-entry-attribute:
>uniqueMember=%mregsub("%{member}","^(.*)accounts(.*)","%1compat%2")
No, this should work just fine. The original wiki page had just
%regsub() which is indeed a single element replacement. %mregsub()
processes multiple possible expression matching.
I just tried myself:
# ldapmodify -x -D "cn=Directory Manager" -f vsphere.ldif -W
Enter LDAP Password:
modifying entry "cn=groups,cn=Schema Compatibility,cn=plugins,cn=config"
modifying entry "cn=users,cn=Schema Compatibility,cn=plugins,cn=config"
# ipa permission-mod "System: Read User Compat Tree" --includedattrs sn
---------------------------------------------------
Modified permission "System: Read User Compat Tree"
---------------------------------------------------
Permission name: System: Read User Compat Tree
Granted rights: read, compare, search
Effective attributes: cn, createtimestamp, entryusn, gecos, gidnumber,
homedirectory, loginshell, modifytimestamp, objectclass, sn, uid,
uidnumber
Included attributes: sn
Default attributes: cn, objectclass, loginshell, uidnumber, gidnumber,
gecos, homedirectory, uid
Bind rule type: anonymous
Subtree: dc=t,dc=vda,dc=li
Target DN: cn=users,cn=compat,dc=t,dc=vda,dc=li
# ipa permission-mod "System: Read Group Compat Tree" --includedattrs uniquemember
----------------------------------------------------
Modified permission "System: Read Group Compat Tree"
----------------------------------------------------
Permission name: System: Read Group Compat Tree
Granted rights: read, compare, search
Effective attributes: cn, createtimestamp, entryusn, gidnumber,
memberuid, modifytimestamp, objectclass, uniquemember
Included attributes: uniquemember
Default attributes: objectclass, memberuid, gidnumber, cn
Bind rule type: anonymous
Subtree: dc=t,dc=vda,dc=li
Target DN: cn=groups,cn=compat,dc=t,dc=vda,dc=li
# ipa group-add foo-bar-zed
-------------------------
Added group "foo-bar-zed"
-------------------------
Group name: foo-bar-zed
GID: 895600028
# ipa user-add bar
First name: bar
Last name: bar
----------------
Added user "bar"
----------------
User login: bar
First name: bar
Last name: bar
Full name: bar bar
Display name: bar bar
Initials: bb
Home directory: /home/bar
GECOS: bar bar
Login shell: /bin/sh
Kerberos principal: bar at T.VDA.LI
Email address: bar at t.vda.li
UID: 895600029
GID: 895600029
Password: False
Member of groups: ipausers
Kerberos keys available: False
# ipa user-add foo
First name: foo
Last name: foo
----------------
Added user "foo"
----------------
User login: foo
First name: foo
Last name: foo
Full name: foo foo
Display name: foo foo
Initials: ff
Home directory: /home/foo
GECOS: foo foo
Login shell: /bin/sh
Kerberos principal: foo at T.VDA.LI
Email address: foo at t.vda.li
UID: 895600030
GID: 895600030
Password: False
Member of groups: ipausers
Kerberos keys available: False
# ipa user-add zed
First name: zed
Last name: zed
----------------
Added user "zed"
----------------
User login: zed
First name: zed
Last name: zed
Full name: zed zed
Display name: zed zed
Initials: zz
Home directory: /home/zed
GECOS: zed zed
Login shell: /bin/sh
Kerberos principal: zed at T.VDA.LI
Email address: zed at t.vda.li
UID: 895600031
GID: 895600031
Password: False
Member of groups: ipausers
Kerberos keys available: False
# ipa group-add-member foo-bar-zed --users={foo,bar,zed}
Group name: foo-bar-zed
GID: 895600028
Member users: foo, bar, zed
-------------------------
Number of members added 3
-------------------------
# ldapsearch -x -b cn=groups,cn=compat,dc=t,dc=vda,dc=li '(cn=foo-bar-zed)'
# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=compat,dc=t,dc=vda,dc=li> with scope subtree
# filter: (cn=foo-bar-zed)
# requesting: ALL
#
# foo-bar-zed, groups, compat, t.vda.li
dn: cn=foo-bar-zed,cn=groups,cn=compat,dc=t,dc=vda,dc=li
memberUid: foo
memberUid: bar
memberUid: zed
gidNumber: 895600028
objectClass: posixGroup
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: uid=foo,cn=users,cn=compat,dc=t,dc=vda,dc=li
uniqueMember: uid=bar,cn=users,cn=compat,dc=t,dc=vda,dc=li
uniqueMember: uid=zed,cn=users,cn=compat,dc=t,dc=vda,dc=li
cn: foo-bar-zed
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list