Joseph Fry via FreeIPA-users wrote:
> Well, I managed to figure out the %deref_r directive is what I was looking
> for and got my update file working. I am posting it here for anyone who
> wants to do the same. Its actually pretty simple... just creates two
> containers in compat, one contains pseudo entries for every host, and the
> other contains psudo entries for every hostgroup with the member attribute
> (pointing to the corresponding pseudo host entries). I'm sure it can be
> improved, but it looks like it meets my needs in early testing.
>
> Just save to a file and run "ipa-ldap-updater <filename>" and your dumb
> AD-only tool can ingest the devices (or at least mine can, you may need to
> bring over some other attributes).
Glad to see you got it working and thanks for contributing your solution.
rob
>
>
> # Delete the adcomputers and adcomputergroups containers. Not really
> necessary but
> # its useful to start with a clean slate during testing, as updating things
> can lead
> # some strangeness
>
> dn: cn=adcomputers, cn=Schema Compatibility, cn=plugins, cn=config
> deleteentry:
>
> dn: cn=adcomputergroups, cn=Schema Compatibility, cn=plugins, cn=config
> deleteentry:
>
> # Create the adcomputers container and map the objects and attributes from
> the ipaHosts
> # Note: This will bring every host in, though it could be filtered with the
> search-filter
> # below if desired.
>
> dn: cn=adcomputers, cn=Schema Compatibility, cn=plugins, cn=config
> default:objectClass: top
> default:objectClass: extensibleObject
> default:cn: adcomputers
> default:schema-compat-container-group: cn=compat, $SUFFIX
> default:schema-compat-container-rdn: cn=adcomputers
> default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX
> default:schema-compat-search-filter: (&(fqdn=*)(objectClass=ipaHost))
> default:schema-compat-entry-rdn: cn=%first("%{fqdn}")
> default:schema-compat-check-access: yes
> default:schema-compat-entry-attribute: objectclass=computer
> default:schema-compat-entry-attribute: cn=%{fqdn}
> default:schema-compat-entry-attribute: sAMAccountType=805306369
> default:schema-compat-entry-attribute: dNSHostName=%{fqdn}
> default:schema-compat-entry-attribute: operatingSystem=%{nsOsVersion}
> default:schema-compat-entry-attribute: name=%{serverHostName}
> default:schema-compat-entry-attribute: sAMAccountName=$$%{serverHostName}
> default:schema-compat-entry-attribute: location=%{nsHostLocation}
>
> # Create the adcomputergroups container and map the relevant attributes from
> the ipahostgroups
>
> dn: cn=adcomputergroups, cn=Schema Compatibility, cn=plugins, cn=config
> default:objectClass: top
> default:objectClass: extensibleObject
> default:cn: adcomputergroups
> default:schema-compat-container-group: cn=compat, $SUFFIX
> default:schema-compat-container-rdn: cn=adcomputergroups
> default:schema-compat-search-base: cn=hostgroups, cn=accounts, $SUFFIX
> default:schema-compat-search-filter: (&(member=*)(objectClass=ipahostgroup))
> default:schema-compat-entry-rdn: cn=%{cn}
> default:schema-compat-entry-check-access: yes
> default:schema-compat-entry-attribute: objectclass=group
> default:schema-compat-entry-attribute: objectclass=groupOfNames
> default:schema-compat-entry-attribute: cn=%{cn}
> default:schema-compat-entry-attribute:
> distinguishedName=cn=%{cn},cn=adcomputergroups,cn=compat,$SUFFIX
> #default:schema-compat-entry-attribute: groupType=-2147483650
> #default:schema-compat-entry-attribute: sAMAccountType=268435456
> default:schema-compat-entry-attribute: name=%{cn}
> default:schema-compat-entry-attribute:
> member=cn=%deref_r("member","fqdn"),cn=adcomputers,cn=compat,$SUFFIX
> #default:schema-compat-entry-attribute: sAMAccountName=%{cn}
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
