[Freeipa-users] compat and nested groups for Unix system
Alexander Bokovoy
abokovoy at redhat.com
Mon Mar 20 15:00:28 UTC 2017
On ma, 20 maalis 2017, Iulian Roman wrote:
>Hello,
>
>I noticed that nested group feature do not work with the unix ldap clients
>(AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used. If
>i use the cn=compat and change the mapping the nested groups are listed
>properly.
Compat tree implements RFC2307 schema which doesn't have nested groups.
Main tree in FreeIPA uses RFC2307bis schema which supports nested
groups.
On AIX, IBM officially supports only AIX, RFC2307, and RFC2307AIX
schemas. AIX's automounter does support RFC2307bis automount maps but
the rest of the system does not support RFC2307bis. In particular, AIX
does not understand member attribute dereference.
>My question is if it is allowed to mix the compat and accounts cn for the
>userbasedn and groupbasedn on the same unix ldap client ?
No, not really. You are messing it up something that your client
does not understand.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list