[Freeipa-users] compat and nested groups for Unix system
Alexander Bokovoy
abokovoy at redhat.com
Mon Mar 20 15:33:09 UTC 2017
On ma, 20 maalis 2017, Lukas Slebodnik wrote:
>On (20/03/17 17:00), Alexander Bokovoy wrote:
>>On ma, 20 maalis 2017, Iulian Roman wrote:
>>> Hello,
>>>
>>> I noticed that nested group feature do not work with the unix ldap clients
>>> (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used. If
>>> i use the cn=compat and change the mapping the nested groups are listed
>>> properly.
>>Compat tree implements RFC2307 schema which doesn't have nested groups.
>>
>>Main tree in FreeIPA uses RFC2307bis schema which supports nested
>>groups.
>>
>But "Compat tree" is generated from "Main tree".
>Therefore users must have the same groups in both cases.
They are, for POSIX groups. RFC2307bis allows you to have arbitrary
nested groups, RFC2307 only handles POSIX groups.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list