[Freeipa-users] vSphere and freeIPA

Sam sam at zy.io
Tue Jun 2 11:37:58 UTC 2015 

2 June 2015 08:55, "Alexander Bokovoy" <abokovoy at redhat.com> wrote:
> On Tue, 02 Jun 2015, Martin Kosek wrote:
> 
>> CCing Nalin and Alexander. This sounds like the slapi-nis >configuration for generating
>> uniqueMember attribute does not work with >multi-valued "member" attribute:
>> 
>> schema-compat-entry-attribute: >uniqueMember=%mregsub("%{member}","^(.*)accounts(.*)","%1compat%2")
> 
> No, this should work just fine. The original wiki page had just
> %regsub() which is indeed a single element replacement. %mregsub()
> processes multiple possible expression matching.
> 
> I just tried myself:
> # ldapmodify -x -D "cn=Directory Manager" -f vsphere.ldif -W Enter LDAP Password: modifying entry
> "cn=groups,cn=Schema Compatibility,cn=plugins,cn=config"
> 
> modifying entry "cn=users,cn=Schema Compatibility,cn=plugins,cn=config"
> 
> # ipa permission-mod "System: Read User Compat Tree" --includedattrs sn
> ---------------------------------------------------
> Modified permission "System: Read User Compat Tree"
> ---------------------------------------------------
> Permission name: System: Read User Compat Tree
> Granted rights: read, compare, search
> Effective attributes: cn, createtimestamp, entryusn, gecos, gidnumber,
> homedirectory, loginshell, modifytimestamp, objectclass, sn, uid,
> uidnumber
> Included attributes: sn
> Default attributes: cn, objectclass, loginshell, uidnumber, gidnumber,
> gecos, homedirectory, uid
> Bind rule type: anonymous
> Subtree: dc=t,dc=vda,dc=li
> Target DN: cn=users,cn=compat,dc=t,dc=vda,dc=li
> # ipa permission-mod "System: Read Group Compat Tree" --includedattrs uniquemember
> ----------------------------------------------------
> Modified permission "System: Read Group Compat Tree"
> ----------------------------------------------------
> Permission name: System: Read Group Compat Tree
> Granted rights: read, compare, search
> Effective attributes: cn, createtimestamp, entryusn, gidnumber,
> memberuid, modifytimestamp, objectclass, uniquemember
> Included attributes: uniquemember
> Default attributes: objectclass, memberuid, gidnumber, cn
> Bind rule type: anonymous
> Subtree: dc=t,dc=vda,dc=li
> Target DN: cn=groups,cn=compat,dc=t,dc=vda,dc=li
> # ipa group-add foo-bar-zed
> -------------------------
> Added group "foo-bar-zed"
> -------------------------
> Group name: foo-bar-zed
> GID: 895600028
> # ipa user-add bar
> First name: bar
> Last name: bar
> ----------------
> Added user "bar"
> ----------------
> User login: bar
> First name: bar
> Last name: bar
> Full name: bar bar
> Display name: bar bar
> Initials: bb
> Home directory: /home/bar
> GECOS: bar bar
> Login shell: /bin/sh
> Kerberos principal: bar at T.VDA.LI
> Email address: bar at t.vda.li
> UID: 895600029
> GID: 895600029
> Password: False
> Member of groups: ipausers
> Kerberos keys available: False
> # ipa user-add foo
> First name: foo
> Last name: foo
> ----------------
> Added user "foo"
> ----------------
> User login: foo
> First name: foo
> Last name: foo
> Full name: foo foo
> Display name: foo foo
> Initials: ff
> Home directory: /home/foo
> GECOS: foo foo
> Login shell: /bin/sh
> Kerberos principal: foo at T.VDA.LI
> Email address: foo at t.vda.li
> UID: 895600030
> GID: 895600030
> Password: False
> Member of groups: ipausers
> Kerberos keys available: False
> # ipa user-add zed
> First name: zed
> Last name: zed
> ----------------
> Added user "zed"
> ----------------
> User login: zed
> First name: zed
> Last name: zed
> Full name: zed zed
> Display name: zed zed
> Initials: zz
> Home directory: /home/zed
> GECOS: zed zed
> Login shell: /bin/sh
> Kerberos principal: zed at T.VDA.LI
> Email address: zed at t.vda.li
> UID: 895600031
> GID: 895600031
> Password: False
> Member of groups: ipausers
> Kerberos keys available: False
> # ipa group-add-member foo-bar-zed --users={foo,bar,zed}
> Group name: foo-bar-zed
> GID: 895600028
> Member users: foo, bar, zed
> -------------------------
> Number of members added 3
> -------------------------
> # ldapsearch -x -b cn=groups,cn=compat,dc=t,dc=vda,dc=li '(cn=foo-bar-zed)'
> # extended LDIF
> #
> # LDAPv3
> # base <cn=groups,cn=compat,dc=t,dc=vda,dc=li> with scope subtree
> # filter: (cn=foo-bar-zed)
> # requesting: ALL
> #
> 
> # foo-bar-zed, groups, compat, t.vda.li
> dn: cn=foo-bar-zed,cn=groups,cn=compat,dc=t,dc=vda,dc=li
> memberUid: foo
> memberUid: bar
> memberUid: zed
> gidNumber: 895600028
> objectClass: posixGroup
> objectClass: groupOfUniqueNames
> objectClass: top
> uniqueMember: uid=foo,cn=users,cn=compat,dc=t,dc=vda,dc=li
> uniqueMember: uid=bar,cn=users,cn=compat,dc=t,dc=vda,dc=li
> uniqueMember: uid=zed,cn=users,cn=compat,dc=t,dc=vda,dc=li
> cn: foo-bar-zed
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> -- / Alexander Bokovoy

Thanks Alexander, that looks really promising. It also explains some of the strange behavior seen previously when I was testing the regsub element of ldiff.

I'll get back to testing with vSphere now, but I imagine it'll now work fine.

Thanks again,

Sam

More information about the Freeipa-users mailing list