[Freeipa-users] compat settings
Alexander Bokovoy
abokovoy at redhat.com
Thu May 21 07:43:53 UTC 2015
On Thu, 21 May 2015, Rudolf Gabler wrote:
>Hi to whom it may concern,
>
>
>we used for many years a 2 location policy to separate email users from
>unix users in order to not using the same passwords. So we had 2 trees
>in our LDAP with the same user but different passwords.
>
>In freeipa (where we want to migrate now) I can use the accounts and
>compat (for email) trees for this purpose and so I added a
>
>dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>changetype: modify
>add: schema-compat-entry-attribute
>schema-compat-entry-attribute: userPassword=*
>to the compat settings to have a separate place for the password (!not
>userPassword=%{userPassword}, because then the accounts password are
>mirrored). This works, but I’m not allowed to change the password i.e.
>with: ldappasswd -x -D "cn=Directory Manager" -W -S
>uid=myuser,cn=users,cn=compat,dc=example,dc=com
>I get a result of:
>
>No such object (32)
>Additional info: Failed to update password
>
>where as for the accounts tree the ldappasswd is working fine.
>What additional setting may be required?
slapi-nis does not support modifying entries in the compat tree. The
tree is virtual, it is re-populated from the original data every time
389-ds server is restarted.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list