Well, I managed to figure out the %deref_r directive is what I was looking for
and got my update file working. I am posting it here for anyone who wants to
do the same. Its actually pretty simple... just creates two containers in
compat, one contains pseudo entries for every host, and the other contains
psudo entries for every hostgroup with the member attribute (pointing to the
corresponding pseudo host entries). I'm sure it can be improved, but it looks
like it meets my needs in early testing.
Just save to a file and run "ipa-ldap-updater <filename>" and your dumb AD-only
tool can ingest the devices (or at least mine can, you may need to bring over
some other attributes).
# Delete the adcomputers and adcomputergroups containers. Not really necessary
but
# its useful to start with a clean slate during testing, as updating things can
lead
# some strangeness
dn: cn=adcomputers, cn=Schema Compatibility, cn=plugins, cn=config
deleteentry:
dn: cn=adcomputergroups, cn=Schema Compatibility, cn=plugins, cn=config
deleteentry:
# Create the adcomputers container and map the objects and attributes from the
ipaHosts
# Note: This will bring every host in, though it could be filtered with the
search-filter
# below if desired.
dn: cn=adcomputers, cn=Schema Compatibility, cn=plugins, cn=config
default:objectClass: top
default:objectClass: extensibleObject
default:cn: adcomputers
default:schema-compat-container-group: cn=compat, $SUFFIX
default:schema-compat-container-rdn: cn=adcomputers
default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX
default:schema-compat-search-filter: (&(fqdn=*)(objectClass=ipaHost))
default:schema-compat-entry-rdn: cn=%first("%{fqdn}")
default:schema-compat-check-access: yes
default:schema-compat-entry-attribute: objectclass=computer
default:schema-compat-entry-attribute: cn=%{fqdn}
default:schema-compat-entry-attribute: sAMAccountType=805306369
default:schema-compat-entry-attribute: dNSHostName=%{fqdn}
default:schema-compat-entry-attribute: operatingSystem=%{nsOsVersion}
default:schema-compat-entry-attribute: name=%{serverHostName}
default:schema-compat-entry-attribute: sAMAccountName=$$%{serverHostName}
default:schema-compat-entry-attribute: location=%{nsHostLocation}
# Create the adcomputergroups container and map the relevant attributes from
the ipahostgroups
dn: cn=adcomputergroups, cn=Schema Compatibility, cn=plugins, cn=config
default:objectClass: top
default:objectClass: extensibleObject
default:cn: adcomputergroups
default:schema-compat-container-group: cn=compat, $SUFFIX
default:schema-compat-container-rdn: cn=adcomputergroups
default:schema-compat-search-base: cn=hostgroups, cn=accounts, $SUFFIX
default:schema-compat-search-filter: (&(member=*)(objectClass=ipahostgroup))
default:schema-compat-entry-rdn: cn=%{cn}
default:schema-compat-entry-check-access: yes
default:schema-compat-entry-attribute: objectclass=group
default:schema-compat-entry-attribute: objectclass=groupOfNames
default:schema-compat-entry-attribute: cn=%{cn}
default:schema-compat-entry-attribute:
distinguishedName=cn=%{cn},cn=adcomputergroups,cn=compat,$SUFFIX
#default:schema-compat-entry-attribute: groupType=-2147483650
#default:schema-compat-entry-attribute: sAMAccountType=268435456
default:schema-compat-entry-attribute: name=%{cn}
default:schema-compat-entry-attribute:
member=cn=%deref_r("member","fqdn"),cn=adcomputers,cn=compat,$SUFFIX
#default:schema-compat-entry-attribute: sAMAccountName=%{cn}
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
