Re: [Freeipa-users] Serving RFC2307 to OS X clients
On Jun 7, 2012, at 6:46 PM, Nalin Dahyabhai wrote: > On Thu, Jun 07, 2012 at 05:56:14PM -0400, Ian Levesque wrote: >> On Jun 7, 2012, at 5:44 PM, Nalin Dahyabhai wrote: >> >>> ldapsearch -h sbgrid-directory -Y GSSAPI \ >>> -b "cn=Schema Compatibility,cn=plugins,cn=config" \ >>> nsslapd-pluginEnabled >>> >>> The results should look like this: >>> >>> dn: cn=Schema Compatibility,cn=plugins,cn=config >>> nsslapd-pluginEnabled: off >>> >>> dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config >>> >>> dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config >>> >>> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >>> >>> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config >> >> Hmm, I only get this: >> >> dn: cn=Schema Compatibility,cn=plugins,cn=config >> nsslapd-pluginEnabled: on >> >> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >> >> This is ipa-server-2.1.3-9.el6.x86_64 on RHEL 6.2 > > I don't have an explanation for how it got that way, but you're missing > some entries, and that probably explains why you don't see compat data > for groups. > > I'm attaching the LDIF for these entries from my test server, with the > suffix changed from the one I'm using to yours. The 'cn=users', > 'cn=groups', and 'cn=ng' entries should be accepted without issue by > 'ldapadd -c', but it will balk at the 'cn=sudoers' entry, since you > already have one. > > Normally that'd be the right thing, but if your 'cn=sudoers' entry looks > different from the one in the LDIF file, you may want to change it as > well by using 'ldapmodify'. Hi Nalin, Well, that fixed it. I'd love to know what caused this but am grateful indeed for your help. Cheers, Ian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Serving RFC2307 to OS X clients
On Thu, Jun 07, 2012 at 05:56:14PM -0400, Ian Levesque wrote:
> On Jun 7, 2012, at 5:44 PM, Nalin Dahyabhai wrote:
>
> > ldapsearch -h sbgrid-directory -Y GSSAPI \
> > -b "cn=Schema Compatibility,cn=plugins,cn=config" \
> > nsslapd-pluginEnabled
> >
> > The results should look like this:
> >
> > dn: cn=Schema Compatibility,cn=plugins,cn=config
> > nsslapd-pluginEnabled: off
> >
> > dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
> >
> > dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
> >
> > dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
> >
> > dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>
> Hmm, I only get this:
>
> dn: cn=Schema Compatibility,cn=plugins,cn=config
> nsslapd-pluginEnabled: on
>
> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
>
> This is ipa-server-2.1.3-9.el6.x86_64 on RHEL 6.2
I don't have an explanation for how it got that way, but you're missing
some entries, and that probably explains why you don't see compat data
for groups.
I'm attaching the LDIF for these entries from my test server, with the
suffix changed from the one I'm using to yours. The 'cn=users',
'cn=groups', and 'cn=ng' entries should be accepted without issue by
'ldapadd -c', but it will balk at the 'cn=sudoers' entry, since you
already have one.
Normally that'd be the right thing, but if your 'cn=sudoers' entry looks
different from the one in the LDIF file, you may want to change it as
well by using 'ldapmodify'.
HTH,
Nalin
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
schema-compat-entry-attribute: objectclass=posixGroup
schema-compat-entry-attribute: gidNumber=%{gidNumber}
schema-compat-entry-attribute: memberUid=%{memberUid}
schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
cn: groups
objectClass: top
objectClass: extensibleObject
schema-compat-search-filter: objectclass=posixGroup
schema-compat-container-rdn: cn=groups
schema-compat-entry-rdn: cn=%{cn}
schema-compat-search-base: cn=groups, cn=accounts, dc=sbgrid,dc=org
schema-compat-container-group: cn=compat, dc=sbgrid,dc=org
dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
schema-compat-entry-attribute: objectclass=nisNetgroup
schema-compat-entry-attribute: memberNisNetgroup=%deref_r("member","cn")
schema-compat-entry-attribute: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\
",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\"memberHo
st\\\",\\\"fqdn\\\")\\\",\\\"%deref_r(\\\"member\\\",
\\\"fqdn\\\")\\\",\\\"%deref_r(\\\"memberHost\\\",\\\"member\
\\",\\\"fqdn\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\
",\"\",\"%collect(\\\"%deref(\\\"memberUser\\\",\\\"uid\\\")\
\\",\\\"%deref_r(\\\"member\\\",\\\"uid\\\")\\\",\\\"%deref_r
(\\\"memberUser\\\",\\\"member\\\",\\\"uid\\\")\\\")\
")","-"),%{nisDomainName:-})
schema-compat-check-access: yes
cn: ng
objectClass: top
objectClass: extensibleObject
schema-compat-search-filter: (objectclass=ipaNisNetgroup)
schema-compat-container-rdn: cn=ng
schema-compat-entry-rdn: cn=%{cn}
schema-compat-search-base: cn=ng, cn=alt, dc=sbgrid,dc=org
schema-compat-container-group: cn=compat, dc=sbgrid,dc=org
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
schema-compat-entry-attribute: objectclass=sudoRole
schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%{ex
ternalUser}")
schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%der
ef_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")
schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%der
ef_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)
))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\
"uid\")")
schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%%%d
eref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")")
schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","+%de
ref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")
schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{ex
ternalHost}")
schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%der
ef_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")
schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%der
ef_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEn
try)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"
fqdn\")")
schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%de
ref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntr
y))\",\"cn\")")
schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%de
ref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")
schema-compat-entry
Re: [Freeipa-users] Serving RFC2307 to OS X clients
On Jun 7, 2012, at 6:01 PM, Rob Crittenden wrote: > What does ipa-compat-manage status say? Plugin Enabled ~irl ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Serving RFC2307 to OS X clients
Ian Levesque wrote: On Jun 7, 2012, at 5:44 PM, Nalin Dahyabhai wrote: ldapsearch -h sbgrid-directory -Y GSSAPI \ -b "cn=Schema Compatibility,cn=plugins,cn=config" \ nsslapd-pluginEnabled The results should look like this: dn: cn=Schema Compatibility,cn=plugins,cn=config nsslapd-pluginEnabled: off dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config Hmm, I only get this: dn: cn=Schema Compatibility,cn=plugins,cn=config nsslapd-pluginEnabled: on dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config This is ipa-server-2.1.3-9.el6.x86_64 on RHEL 6.2 Thanks again, Ian What does ipa-compat-manage status say? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Serving RFC2307 to OS X clients
On Jun 7, 2012, at 5:44 PM, Nalin Dahyabhai wrote: > ldapsearch -h sbgrid-directory -Y GSSAPI \ > -b "cn=Schema Compatibility,cn=plugins,cn=config" \ > nsslapd-pluginEnabled > > The results should look like this: > > dn: cn=Schema Compatibility,cn=plugins,cn=config > nsslapd-pluginEnabled: off > > dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config > > dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config > > dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config > > dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config Hmm, I only get this: dn: cn=Schema Compatibility,cn=plugins,cn=config nsslapd-pluginEnabled: on dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config This is ipa-server-2.1.3-9.el6.x86_64 on RHEL 6.2 Thanks again, Ian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Serving RFC2307 to OS X clients
On Thu, Jun 07, 2012 at 05:44:16PM -0400, Nalin Dahyabhai wrote: > The results should look like this: > > dn: cn=Schema Compatibility,cn=plugins,cn=config > nsslapd-pluginEnabled: off Yeah, that second line should be "nsslapd-pluginEnabled: on". *facepalm* Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Serving RFC2307 to OS X clients
On Thu, Jun 07, 2012 at 05:34:58PM -0400, Ian Levesque wrote:
> # ldapsearch -LLL -x -h sbgrid-directory -b cn=compat,dc=sbgrid,dc=org
> No such object (32)
> Matched DN: dc=sbgrid,dc=org
This result suggests that the plugin isn't running. Can you
double-check by searching (as either the directory administrator or the
IPA administrator) to verify that the plugin is enabled and configured
to serve up group information? The search looks like:
kinit admin
ldapsearch -h sbgrid-directory -Y GSSAPI \
-b "cn=Schema Compatibility,cn=plugins,cn=config" \
nsslapd-pluginEnabled
The results should look like this:
dn: cn=Schema Compatibility,cn=plugins,cn=config
nsslapd-pluginEnabled: off
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
If you drill down and read the whole cn=groups configuration entry, it
should look like this:
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
schema-compat-entry-attribute: objectclass=posixGroup
schema-compat-entry-attribute: gidNumber=%{gidNumber}
schema-compat-entry-attribute: memberUid=%{memberUid}
schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
cn: groups
objectClass: top
objectClass: extensibleObject
schema-compat-search-filter: objectclass=posixGroup
schema-compat-container-rdn: cn=groups
schema-compat-entry-rdn: cn=%{cn}
schema-compat-search-base: cn=groups, cn=accounts, dc=sbgrid,dc=org
schema-compat-container-group: cn=compat, dc=sbgrid,dc=org
HTH,
Nalin
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Serving RFC2307 to OS X clients
On Jun 7, 2012, at 5:27 PM, Nalin Dahyabhai wrote: > On Thu, Jun 07, 2012 at 05:03:11PM -0400, Ian Levesque wrote: >> Hello, >> >> I've read that the schema compatibility plugin should provide a vanilla RFC >> 2307 view of groups with memberUid attributes. I need this for our OS X >> clients, which don't seem capable of understanding the RFC 2307bis format of >> member DNs. >> >> So, I enabled the plugin using `ipa-compat-manage enable` and ensured it's >> loaded via `ipa-compat-manage status`. I restarted the directory server. >> >> However, I don't get memberUid attributes. I've seen some docs that say >> "cn=compat" should be added to the default base, but that returns nothing: >> >> ldapsearch -LLL -x -h sbgrid-directory -b >> cn=groups,cn=accounts,cn=compat,dc=sbgrid,dc=org cn=builders >> No such object (32) >> Matched DN: dc=sbgrid,dc=org > > Try using "cn=groups,cn=compat,dc=sbgrid,dc=org" as the search base. We > don't put a "cn=accounts" container under cn=compat by default. Hi Nalin - thanks for the tip; unfortunately, there doesn't appear to be anything in cn=compat: # ldapsearch -LLL -x -h sbgrid-directory -b cn=groups,cn=compat,dc=sbgrid,dc=org No such object (32) Matched DN: dc=sbgrid,dc=org # ldapsearch -LLL -x -h sbgrid-directory -b cn=compat,dc=sbgrid,dc=org No such object (32) Matched DN: dc=sbgrid,dc=org Best regards, Ian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Serving RFC2307 to OS X clients
On Thu, Jun 07, 2012 at 05:03:11PM -0400, Ian Levesque wrote: > Hello, > > I've read that the schema compatibility plugin should provide a vanilla RFC > 2307 view of groups with memberUid attributes. I need this for our OS X > clients, which don't seem capable of understanding the RFC 2307bis format of > member DNs. > > So, I enabled the plugin using `ipa-compat-manage enable` and ensured it's > loaded via `ipa-compat-manage status`. I restarted the directory server. > > However, I don't get memberUid attributes. I've seen some docs that say > "cn=compat" should be added to the default base, but that returns nothing: > > ldapsearch -LLL -x -h sbgrid-directory -b > cn=groups,cn=accounts,cn=compat,dc=sbgrid,dc=org cn=builders > No such object (32) > Matched DN: dc=sbgrid,dc=org Try using "cn=groups,cn=compat,dc=sbgrid,dc=org" as the search base. We don't put a "cn=accounts" container under cn=compat by default. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Serving RFC2307 to OS X clients
Hello, I've read that the schema compatibility plugin should provide a vanilla RFC 2307 view of groups with memberUid attributes. I need this for our OS X clients, which don't seem capable of understanding the RFC 2307bis format of member DNs. So, I enabled the plugin using `ipa-compat-manage enable` and ensured it's loaded via `ipa-compat-manage status`. I restarted the directory server. However, I don't get memberUid attributes. I've seen some docs that say "cn=compat" should be added to the default base, but that returns nothing: ldapsearch -LLL -x -h sbgrid-directory -b cn=groups,cn=accounts,cn=compat,dc=sbgrid,dc=org cn=builders No such object (32) Matched DN: dc=sbgrid,dc=org When I search the default base, things look unchanged (obviously, no memberUid here): ldapsearch -LLL -x -h sbgrid-directory -b cn=groups,cn=accounts,dc=sbgrid,dc=org cn=builders | grep member member: uid=ian,cn=users,cn=accounts,dc=sbgrid,dc=org I seem to remember when I first setup the FreeIPA server, there *was* a cn=compat tree... did disabling it at some point cause it to stop working? Best, Ian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
