[Freeipa-users] Adding groupOfUniqueNames to all freeipa replicas for Zenoss LDAP authentication
Bob Hinton
bob at jackland.demon.co.uk
Wed May 25 19:51:35 UTC 2016
Hello,
We are trying to get Zenoss login authentication to use freeipa over
LDAP. Group mappings don't currently work and we think this is because
Zenoss requires the groupOfUniqueNames object class.
I managed to add the object class to a test VM using
vsphere_groupmod.ldif taken from
http://www.freeipa.org/page/HowTo/vsphere5_integration -
content of vsphere_groupmod.ldif -
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=groupOfUniqueNames
-
add: schema-compat-entry-attribute
schema-compat-entry-attribute:
uniqueMember=%mregsub("%{member}","^(.*)accounts(.*)","%1compat%2")
-
apply with -
ldapmodify -x -D "cn=Directory Manager" -f vsphere_groupmod.ldif -W
However, the following command seemed to freeze -
ipa permission-mod "System: Read Group Compat Tree" --includedattrs
uniquemember
and I had to kill it then subsequent ldapsearch commands froze.
Rebooting the VM seemed to fix things and the groupOfUniqueNames object
class appeared in the schema.
I'd like to apply this to our live system which uses a master and two
replicas running IPA v4.2.0 on RHEL 7.2.
Do I need to make the same change to all three servers ? Can I leave the
replicas connected or do I need to break the replication and
re-establish it? Do I need the "ipa permission-mod" if so then how do I
avoid it freezing ?
Many thanks
Bob Hinton
More information about the Freeipa-users
mailing list