On 03/05/2015 02:37 AM, re...@hushmail.com wrote: > Opps, I got that wrong, my groups don't show the 'uniqueMember' attribute. > Here is an example returned from ldapsearch; > > # admins, groups, compat, localdomain.local > dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local > gidNumber: 756200000 > memberUid: admin > memberUid: vadmin > objectClass: posixGroup > objectClass: groupOfUniqueNames > objectClass: top > cn: admins > > > On 3/5/2015 at 9:15 AM, re...@hushmail.com wrote: > > Hi Martin, > > Using my vadmin account, > "uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local", the search completes > successfully and i get a list of my users and groups however when I've > watched the ldap queries between vcenter and freeipa I can see it's applying > a filter to the user search looking for 'objectClass=groupOfUniqueNames' > which my groups don't seem to contain. > > > I'm very much an ldap newbie but I thought at step two in the vsphere > integration howto I modified the groups schema to include that object class? > > On 3/4/2015 at 8:32 PM, "Martin Kosek" <mko...@redhat.com> wrote: > > Given that this HOWTO does not use the vanilla Schema Compatibility settings > (FreeIPA Compat Tree by default uses posixGroup objectclass and memberUid > attribute for user membership), I would check if the groups really have the > right objectclass and uniqueMember generated: > > # ldapsearch -D "VSPHERE_DN" -x -w "$VSPHERE_DN_PASSWORD" -b > "cn=groups,cn=compat,dc=localdomain,dc=local" > > I expect there will be some problem preventing the LDAP search to succeed. > Then > we would know where to look next. > > Martin >
I am also CCing Gialunca who contributed the HOWTO. I checked it again and tried to apply it on my FreeIPA 4.1.3, my compat group now contain the proper uniqueMember attribute and groupOfUniqueNames objectclass. I am not sure though why are also users updated (mostly question to Gialunca): dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=uniqueMember - add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=inetOrgPerson - For instance, "uniqueMember" is not valid objectclass. Also, if you are adding iNetOrgPerson objectclass, you should have all it's MUST attributes also generated - otherwise consuming programs may break if they depend on such attributes to exist. I see that "sn" is missing in my compat user entries. Can you show the "cn=groups,cn=Schema Compatibility,cn=plugins,cn=config" entry so that we can see if the uniqueMember attribute is really configured correctly? Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
