Hello, We are trying to get Zenoss login authentication to use freeipa over LDAP. Group mappings don't currently work and we think this is because Zenoss requires the groupOfUniqueNames object class.
I managed to add the object class to a test VM using vsphere_groupmod.ldif taken from http://www.freeipa.org/page/HowTo/vsphere5_integration - content of vsphere_groupmod.ldif - dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: objectclass=groupOfUniqueNames - add: schema-compat-entry-attribute schema-compat-entry-attribute: uniqueMember=%mregsub("%{member}","^(.*)accounts(.*)","%1compat%2") - apply with - ldapmodify -x -D "cn=Directory Manager" -f vsphere_groupmod.ldif -W However, the following command seemed to freeze - ipa permission-mod "System: Read Group Compat Tree" --includedattrs uniquemember and I had to kill it then subsequent ldapsearch commands froze. Rebooting the VM seemed to fix things and the groupOfUniqueNames object class appeared in the schema. I'd like to apply this to our live system which uses a master and two replicas running IPA v4.2.0 on RHEL 7.2. Do I need to make the same change to all three servers ? Can I leave the replicas connected or do I need to break the replication and re-establish it? Do I need the "ipa permission-mod" if so then how do I avoid it freezing ? Many thanks Bob Hinton -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project