My goal is to use the compatibility plugin to display IPA hosts in a format that an Active Directory centric tool can consume. Essentially my solution creates two containers under cn=compat called cn=adComputers and cn=adComputerGroups. An entry is added to adComputers for every ipaHost, and attributes populated that match active directory ldap attributes for a 'computer' object. We do the same for each IPA hostgroup.
I have come pretty close to getting this working, but now I need to get the groups populated with the group members, but not the IPA hosts... instead I need the members to be the corresponding cn=adComputers entries that were created. So I need to manipulate the members attribute. For example the member attribute of one of the hostgroups in ipa is: fqdn=test.lab.local,cn=computers,cn=accounts,dc=lab,dc=local I need to change it to: cn=test.lab.local,cn=adcomputers,cn=compat,dc=lab,dc=local Below is my .update file. I want to add a line at the end like: add:schema-compat-entry-attribute: member=%{member} But want to rewrite the %{member} value as described above. I know I can do some logic here, as evidenced by https://pagure.io/freeipa/blob/master/f/install/updates/80-schema_compat.update where they use %ifeq and %%%deref_f. But I cannot find any documentation explaining what options are available. Essentially I am hoping there is some sort of regex manipulation capability here? My .update file so far: dn: cn=adComputers, cn=Schema Compatibility, cn=plugins, cn=config add:objectClass: top add:objectClass: extensibleObject add:cn: adComputers add:schema-compat-container-group: cn=compat, $SUFFIX add:schema-compat-container-rdn: cn=adComputers add:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX add:schema-compat-search-filter: (&(fqdn=*)(objectClass=ipaHost)) add:schema-compat-entry-rdn: cn=%first("%{fqdn}") add:schema-compat-check-access: yes add:schema-compat-entry-attribute: objectclass=computer add:schema-compat-entry-attribute: cn=%{fqdn} add:schema-compat-entry-attribute: sAMAccountType=805306369 add:schema-compat-entry-attribute: dNSHostName=%{fqdn} add:schema-compat-entry-attribute: operatingSystem=%{nsHardwarePlatform} add:schema-compat-entry-attribute: operatingSystemVersion=%{nsOsVersion} add:schema-compat-entry-attribute: name=%{serverHostName} add:schema-compat-entry-attribute: sAMAccountName=$$%{serverHostName} add:schema-compat-entry-attribute: location=%{nsHostLocation} dn: cn=adComputerGroups, cn=Schema Compatibility, cn=plugins, cn=config add:objectClass: top add:objectClass: extensibleObject add:cn: adComputerGroups add:schema-compat-container-group: cn=compat, $SUFFIX add:schema-compat-container-rdn: cn=adComputerGroups add:schema-compat-search-base: cn=hostgroups, cn=accounts, $SUFFIX add:schema-compat-search-filter: (&(member=*)(objectClass=ipahostgroup)) add:schema-compat-entry-rdn: cn=%{cn} add:schema-compat-entry-check-access: yes add:schema-compat-entry-attribute: objectclass=group add:schema-compat-entry-attribute: cn=%{cn} add:schema-compat-entry-attribute: groupType=-2147483646 add:schema-compat-entry-attribute: sAMAccountType=268435456 add:schema-compat-entry-attribute: name=%{cn} add:schema-compat-entry-attribute: sAMAccountName=$$%{cn} _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure