My goal is to use the compatibility plugin to display IPA hosts in a format
that an Active Directory centric tool can consume. Essentially my solution
creates two containers under cn=compat called cn=adComputers and
cn=adComputerGroups. An entry is added to adComputers for every ipaHost, and
attributes populated that match active directory ldap attributes for a
'computer' object. We do the same for each IPA hostgroup.
I have come pretty close to getting this working, but now I need to get the
groups populated with the group members, but not the IPA hosts... instead I
need the members to be the corresponding cn=adComputers entries that were
created.
So I need to manipulate the members attribute. For example the member
attribute of one of the hostgroups in ipa is:
fqdn=test.lab.local,cn=computers,cn=accounts,dc=lab,dc=local
I need to change it to:
cn=test.lab.local,cn=adcomputers,cn=compat,dc=lab,dc=local
Below is my .update file. I want to add a line at the end like:
add:schema-compat-entry-attribute: member=%{member}
But want to rewrite the %{member} value as described above. I know I can do
some logic here, as evidenced by
https://pagure.io/freeipa/blob/master/f/install/updates/80-schema_compat.update
where they use %ifeq and %%%deref_f. But I cannot find any documentation
explaining what options are available. Essentially I am hoping there is some
sort of regex manipulation capability here?
My .update file so far:
dn: cn=adComputers, cn=Schema Compatibility, cn=plugins, cn=config
add:objectClass: top
add:objectClass: extensibleObject
add:cn: adComputers
add:schema-compat-container-group: cn=compat, $SUFFIX
add:schema-compat-container-rdn: cn=adComputers
add:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX
add:schema-compat-search-filter: (&(fqdn=*)(objectClass=ipaHost))
add:schema-compat-entry-rdn: cn=%first("%{fqdn}")
add:schema-compat-check-access: yes
add:schema-compat-entry-attribute: objectclass=computer
add:schema-compat-entry-attribute: cn=%{fqdn}
add:schema-compat-entry-attribute: sAMAccountType=805306369
add:schema-compat-entry-attribute: dNSHostName=%{fqdn}
add:schema-compat-entry-attribute: operatingSystem=%{nsHardwarePlatform}
add:schema-compat-entry-attribute: operatingSystemVersion=%{nsOsVersion}
add:schema-compat-entry-attribute: name=%{serverHostName}
add:schema-compat-entry-attribute: sAMAccountName=$$%{serverHostName}
add:schema-compat-entry-attribute: location=%{nsHostLocation}
dn: cn=adComputerGroups, cn=Schema Compatibility, cn=plugins, cn=config
add:objectClass: top
add:objectClass: extensibleObject
add:cn: adComputerGroups
add:schema-compat-container-group: cn=compat, $SUFFIX
add:schema-compat-container-rdn: cn=adComputerGroups
add:schema-compat-search-base: cn=hostgroups, cn=accounts, $SUFFIX
add:schema-compat-search-filter: (&(member=*)(objectClass=ipahostgroup))
add:schema-compat-entry-rdn: cn=%{cn}
add:schema-compat-entry-check-access: yes
add:schema-compat-entry-attribute: objectclass=group
add:schema-compat-entry-attribute: cn=%{cn}
add:schema-compat-entry-attribute: groupType=-2147483646
add:schema-compat-entry-attribute: sAMAccountType=268435456
add:schema-compat-entry-attribute: name=%{cn}
add:schema-compat-entry-attribute: sAMAccountName=$$%{cn}
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
