[Freeipa-users] compat and nested groups for Unix system
Alexander Bokovoy
abokovoy at redhat.com
Mon Mar 20 15:24:39 UTC 2017
On ma, 20 maalis 2017, Iulian Roman wrote:
>On Mon, Mar 20, 2017 at 4:00 PM, Alexander Bokovoy <abokovoy at redhat.com>
>wrote:
>
>> On ma, 20 maalis 2017, Iulian Roman wrote:
>>
>>> Hello,
>>>
>>> I noticed that nested group feature do not work with the unix ldap clients
>>> (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used.
>>> If
>>> i use the cn=compat and change the mapping the nested groups are listed
>>> properly.
>>>
>> Compat tree implements RFC2307 schema which doesn't have nested groups.
>>
>Correct, but although the groups under the compat tree do not have the
>nestedgroup object class attribute, whenever i change the group membership
>via WEB UI, the compat tree group membership is automatically updated (new
>memberUid is added). What i've done was a sort of workaround and map the
>AIX groups attribute to the memberUid which seems to work properly.
memberUid is uidNumber of corresponding user, not a group identifier.
Perhaps, you are trying to explain something else?
>> Main tree in FreeIPA uses RFC2307bis schema which supports nested
>> groups.
>>
> Any plans to support RFC2307AIX schema ?
No.
>
>> On AIX, IBM officially supports only AIX, RFC2307, and RFC2307AIX
>> schemas. AIX's automounter does support RFC2307bis automount maps but
>> the rest of the system does not support RFC2307bis. In particular, AIX
>> does not understand member attribute dereference.
>>
>>
>> My question is if it is allowed to mix the compat and accounts cn for the
>>> userbasedn and groupbasedn on the same unix ldap client ?
>>>
>> No, not really. You are messing it up something that your client
>> does not understand.
>>
>As i explained above, i could use the basic attributes in the compat tree
>for groups in order to update the AIX "groups" attribute (based on
>memberuid list). Is there anything which can break the functionality if the
>compat tree is used instead of the main/accounts tree or it is a fortunate
>coincidence that this setup works ?
Why you don't use compat tree for both users and groups in AIX? This is
how it was designed to be used.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list