[Freeipa-users] compat and nested groups for Unix system

Alexander Bokovoy abokovoy at redhat.com
Mon Mar 20 16:31:46 UTC 2017 

On ma, 20 maalis 2017, Iulian Roman wrote:
>On Mon, Mar 20, 2017 at 4:24 PM, Alexander Bokovoy <abokovoy at redhat.com>
>wrote:
>
>> On ma, 20 maalis 2017, Iulian Roman wrote:
>>
>>> On Mon, Mar 20, 2017 at 4:00 PM, Alexander Bokovoy <abokovoy at redhat.com>
>>> wrote:
>>>
>>> On ma, 20 maalis 2017, Iulian Roman wrote:
>>>>
>>>> Hello,
>>>>>
>>>>> I noticed that nested group feature do not work with the unix ldap
>>>>> clients
>>>>> (AIX) if the default groupbasedn (cn=groups,cn=accounts,dc=...) is used.
>>>>> If
>>>>> i use the cn=compat and change the mapping the nested groups are listed
>>>>> properly.
>>>>>
>>>>> Compat tree implements RFC2307 schema which doesn't have nested groups.
>>>>
>>>> Correct, but although the groups under the compat tree do not have the
>>> nestedgroup object class attribute, whenever i change the group membership
>>> via WEB UI, the compat tree group membership is automatically updated (new
>>> memberUid is added). What i've done was a sort of workaround and map the
>>> AIX groups attribute to the memberUid which seems to work properly.
>>>
>> memberUid is uidNumber of corresponding user, not a group identifier.
>> Perhaps, you are trying to explain something else?
>>
>Ok, maybe i have to explain it more clearly as it was confusing:
>in order to get the user list attribute for an ldap group in AIX , you use
>some .map files, which map the ldap attributes to the AIX attributes. For
>the 2307schema, to get the user list of a group you have to map the
>AIX *_users_
>*attribute to the _memberuid_ ldap attribute. For compat tree, in the file
>ipagroup.map i've mapped the AIX _users_ attribute to the _memberuid_
>ipa/ldap attribute and therefore i have the list of the users for that
>particular group.  Having the user list which are members to a group
>translates to having the group list of the users (if we invert the logic).
>Does that make more sense now ?

According to my research from several years ago following two maps were
enough to get AIX to work with primary IPA tree:

#IPAuser.map file
keyobjectclass  SEC_CHAR        posixaccount            s

# The following attributes are required by AIX to be functional
username        SEC_CHAR        uid                     s
id              SEC_INT         uidnumber               s
pgrp            SEC_CHAR        gidnumber               s
home            SEC_CHAR        homedirectory           s
shell           SEC_CHAR        loginshell              s
gecos           SEC_CHAR        gecos                   s
spassword       SEC_CHAR        userpassword            s
lastupdate      SEC_INT         shadowlastchange        s

#IPAgroup.map file
groupname       SEC_CHAR    cn                    s
id              SEC_INT     gidNumber             s
users           SEC_LIST    member                m

This will make AIX to interpret native IPA users properly.

If you expect AD users from trusted AD domains to be usable as well,
you'd need to switch to compat tree and use RFC2307 mapping files.

>> Why you don't use compat tree for both users and groups in AIX? This is
>> how it was designed to be used.
>>
>Actually the compat tree was the default one configured by the ldap client,
>but checking the ldap structure seemed more logical to use the default ipa
>ldap tree which is used as well for Linux. Moreover i did not understood
>what is exactly the purpose of the compat tree and i was quite confused .
>Apart from that i missed  some krb* related attributes for the user, but
>probably i have to re-evaluate that and use compat tree for both users and
>groups, if that's what it was designed for.
It depends on what you need to do. You shouldn't need to have access to
kerberos attributes from client side at all.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list