Re: [Freeipa-users] openldap to ipa
For record sake. This issue was resolved. I resolved the issue by following the following guidance provided in the following bug report. https://fedorahosted.org/freeipa/ticket/3364 On Tue, Jan 15, 2013 at 9:35 AM, Johnathan Phan j...@ox-consulting.comwrote: Hi Rcrit, As Outlined in the IRC channel. Please find the ldap.conf from the open ldap server below. URI ldap://ldap.example.com ldap://ldap1.example.com BASE dc=example,dc=com TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt I then copy the file /etc/pki/tls/certs/ca-bundle.crt from the openldap server over to the test IPA server and on the IPA server I run the following command. certutil -A -d /etc/httpd/alias -n 'openldap CA' -t CT,, -a -i ca-bundle.crt The openldap server is using a certificate signed by a CA. The IPA server is using the self signed certificate it generated when starting up. I still get the error after adding the CA bundle for openldap server to the apache cert db on IPA server. After explaining all this, I feel that the problem lies with the self signed cert on the IPA server. Can I confirm with someone the process in which the migration of data occurs? I gather the it something like this. 1 IPA binds/creates a connection to the remote server via SSL/TSL and creates a connection 2 It then binds to a socket locally 3 Then contacts the apache server for some reason (no idea why this is contacting apache on 443?) Regards John On Mon, Jan 14, 2013 at 6:09 PM, Rob Crittenden rcrit...@redhat.comwrote: Johnathan Phan wrote: Anyone know the details of the low level system steps for the migration script to work? so I can try and backwards engineer or troubleshoot each system as I go along so I can actually migrate the data from openldap to ipa? The migration is taking place in the context of the web server. So any trust needs to be added to /etc/httpd/alias (and the httpd service restarted). It needs to trust the signer of the remote LDAP server. What I don't know is how you add trust in NSS for a self-signed server certificate. You might be best off issuing new SSL certs for your openldap server which uses a CA to issue the server cert in order to perform the migration. rob Regards John On Mon, Jan 14, 2013 at 9:19 AM, Johnathan Phan j...@ox-consulting.com mailto:j...@ox-consulting.com** wrote: Hi Aquino, thanks for the input, however. There is a CRT in there already and it was set to allow on both the IPA server and the target openldap server. the core of the issue seems to be that IPA does not accept the cert either locally or remotely as it does not trust it. anyone know how I can troubleshot this. I have reviewed the dirsrv logs for ldap and I can't spot anything/. Regards John On Fri, Jan 11, 2013 at 5:55 PM, JR Aquino jr.aqu...@citrix.com mailto:jr.aqu...@citrix.com wrote: Try editing /etc/openldap/ldap.conf: TLS_CACERT /etc/ipa/ca.crt TLS_REQCERT allow See if that helps Keeping your head in the cloud ~~**~~~ Jr Aquino | Sr. Information Security Specialist GIAC Exploit Researcher and Advanced Penetration Tester | GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors:/**/0/0 T: +1 805.690.3478 tel:%2B1%20805.690.3478tel:**+1%C2%A0805.690.3478 C: +1 805.717.0365 tel:%2B1%20805.717.0365tel:** +1%20805.717.0365 jr.aqu...@citrix.com mailto:jr.aqu...@citrix.com**mailto:jr.aquino@citrixonline.** com jr.aqu...@citrixonline.com mailto:jr.aquino@**citrixonline.comjr.aqu...@citrixonline.com http://www.citrixonline.comht**tp://www.citrixonline.com/http://www.citrixonline.com/ On Jan 11, 2013, at 8:05 AM, Johnathan Phan j...@ox-consulting.com mailto:j...@ox-consulting.com**mailto:john@ox-consulting.** com j...@ox-consulting.com mailto:j...@ox-consulting.com** wrote: Hi There, This is driving me up the wall. I have two servers. 1 is a live openldap/kerberous AAA server running on RHEL6. The LDAP service has SSL/TS support. The second server is a test environment running on fedora and has 3.1 IPA installed. As a last step of my POC I need to migrate the users and passwords from the LDAP server to IPA server. I ran this command perfectly fine. ipa config-mod --enable-migration=TRUE However the next step was where my issues began. In the end after a lot of IRC communication and troubleshooting I now run the following command. ipa migrate-ds --bind-dn=cn=admin,dc=**example,dc=com --user-container=ou=users,ou=**live,dc=example,dc=com
Re: [Freeipa-users] openldap to ipa
Hi Rcrit, As Outlined in the IRC channel. Please find the ldap.conf from the open ldap server below. URI ldap://ldap.example.com ldap://ldap1.example.com BASE dc=example,dc=com TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt I then copy the file /etc/pki/tls/certs/ca-bundle.crt from the openldap server over to the test IPA server and on the IPA server I run the following command. certutil -A -d /etc/httpd/alias -n 'openldap CA' -t CT,, -a -i ca-bundle.crt The openldap server is using a certificate signed by a CA. The IPA server is using the self signed certificate it generated when starting up. I still get the error after adding the CA bundle for openldap server to the apache cert db on IPA server. After explaining all this, I feel that the problem lies with the self signed cert on the IPA server. Can I confirm with someone the process in which the migration of data occurs? I gather the it something like this. 1 IPA binds/creates a connection to the remote server via SSL/TSL and creates a connection 2 It then binds to a socket locally 3 Then contacts the apache server for some reason (no idea why this is contacting apache on 443?) Regards John On Mon, Jan 14, 2013 at 6:09 PM, Rob Crittenden rcrit...@redhat.com wrote: Johnathan Phan wrote: Anyone know the details of the low level system steps for the migration script to work? so I can try and backwards engineer or troubleshoot each system as I go along so I can actually migrate the data from openldap to ipa? The migration is taking place in the context of the web server. So any trust needs to be added to /etc/httpd/alias (and the httpd service restarted). It needs to trust the signer of the remote LDAP server. What I don't know is how you add trust in NSS for a self-signed server certificate. You might be best off issuing new SSL certs for your openldap server which uses a CA to issue the server cert in order to perform the migration. rob Regards John On Mon, Jan 14, 2013 at 9:19 AM, Johnathan Phan j...@ox-consulting.com mailto:j...@ox-consulting.com** wrote: Hi Aquino, thanks for the input, however. There is a CRT in there already and it was set to allow on both the IPA server and the target openldap server. the core of the issue seems to be that IPA does not accept the cert either locally or remotely as it does not trust it. anyone know how I can troubleshot this. I have reviewed the dirsrv logs for ldap and I can't spot anything/. Regards John On Fri, Jan 11, 2013 at 5:55 PM, JR Aquino jr.aqu...@citrix.com mailto:jr.aqu...@citrix.com wrote: Try editing /etc/openldap/ldap.conf: TLS_CACERT /etc/ipa/ca.crt TLS_REQCERT allow See if that helps Keeping your head in the cloud ~~**~~~ Jr Aquino | Sr. Information Security Specialist GIAC Exploit Researcher and Advanced Penetration Tester | GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors:/**/0/0 T: +1 805.690.3478 tel:%2B1%20805.690.3478tel:**+1%C2%A0805.690.3478 C: +1 805.717.0365 tel:%2B1%20805.717.0365tel:** +1%20805.717.0365 jr.aqu...@citrix.com mailto:jr.aqu...@citrix.com**mailto:jr.aquino@citrixonline.** com jr.aqu...@citrixonline.com mailto:jr.aquino@**citrixonline.com jr.aqu...@citrixonline.com http://www.citrixonline.comht**tp://www.citrixonline.com/http://www.citrixonline.com/ On Jan 11, 2013, at 8:05 AM, Johnathan Phan j...@ox-consulting.com mailto:j...@ox-consulting.com**mailto:john@ox-consulting.**comj...@ox-consulting.com mailto:j...@ox-consulting.com** wrote: Hi There, This is driving me up the wall. I have two servers. 1 is a live openldap/kerberous AAA server running on RHEL6. The LDAP service has SSL/TS support. The second server is a test environment running on fedora and has 3.1 IPA installed. As a last step of my POC I need to migrate the users and passwords from the LDAP server to IPA server. I ran this command perfectly fine. ipa config-mod --enable-migration=TRUE However the next step was where my issues began. In the end after a lot of IRC communication and troubleshooting I now run the following command. ipa migrate-ds --bind-dn=cn=admin,dc=**example,dc=com --user-container=ou=users,ou=**live,dc=example,dc=com --group-container=ou=groups,**ou=live,dc=example,dc=com ldaps://ldap1.live.example.com http://ldap1.live.example.com**http://ldap1.live.example.** com/ http://ldap1.live.example.com/ I get the following error. ipa: DEBUG: Caught fault 4203 from
Re: [Freeipa-users] openldap to ipa
Johnathan Phan wrote: Anyone know the details of the low level system steps for the migration script to work? so I can try and backwards engineer or troubleshoot each system as I go along so I can actually migrate the data from openldap to ipa? The migration is taking place in the context of the web server. So any trust needs to be added to /etc/httpd/alias (and the httpd service restarted). It needs to trust the signer of the remote LDAP server. What I don't know is how you add trust in NSS for a self-signed server certificate. You might be best off issuing new SSL certs for your openldap server which uses a CA to issue the server cert in order to perform the migration. rob Regards John On Mon, Jan 14, 2013 at 9:19 AM, Johnathan Phan j...@ox-consulting.com mailto:j...@ox-consulting.com wrote: Hi Aquino, thanks for the input, however. There is a CRT in there already and it was set to allow on both the IPA server and the target openldap server. the core of the issue seems to be that IPA does not accept the cert either locally or remotely as it does not trust it. anyone know how I can troubleshot this. I have reviewed the dirsrv logs for ldap and I can't spot anything/. Regards John On Fri, Jan 11, 2013 at 5:55 PM, JR Aquino jr.aqu...@citrix.com mailto:jr.aqu...@citrix.com wrote: Try editing /etc/openldap/ldap.conf: TLS_CACERT /etc/ipa/ca.crt TLS_REQCERT allow See if that helps Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GIAC Exploit Researcher and Advanced Penetration Tester | GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478 tel:%2B1%20805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365 tel:%2B1%20805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.com mailto:jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com mailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ On Jan 11, 2013, at 8:05 AM, Johnathan Phan j...@ox-consulting.com mailto:j...@ox-consulting.commailto:j...@ox-consulting.com mailto:j...@ox-consulting.com wrote: Hi There, This is driving me up the wall. I have two servers. 1 is a live openldap/kerberous AAA server running on RHEL6. The LDAP service has SSL/TS support. The second server is a test environment running on fedora and has 3.1 IPA installed. As a last step of my POC I need to migrate the users and passwords from the LDAP server to IPA server. I ran this command perfectly fine. ipa config-mod --enable-migration=TRUE However the next step was where my issues began. In the end after a lot of IRC communication and troubleshooting I now run the following command. ipa migrate-ds --bind-dn=cn=admin,dc=example,dc=com --user-container=ou=users,ou=live,dc=example,dc=com --group-container=ou=groups,ou=live,dc=example,dc=com ldaps://ldap1.live.example.com http://ldap1.live.example.comhttp://ldap1.live.example.com/ I get the following error. ipa: DEBUG: Caught fault 4203 from server http://fedoraipaserver.test.example.com/ipa/xml: Can't contact LDAP server: TLS error -8179:Peer's Certificate issuer is not recognized. ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Can't contact LDAP server: TLS error -8179:Peer's Certificate issuer is not recognized. I have summarized that the IPA server does not trust the cert served by the openldap or the other way around. Does anyone know how to get around this? Or allow me to finish the migration of user data. Regards John -- Johnathan Phan T: +44 (0)784 118 7080 tel:%2B44%20%280%29784%20118%207080 ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.commailto:Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Johnathan Phan ox-consulting T: +44 (0)784 118 7080 tel:%2B44%20%280%29784%20118%207080 j...@ox-consulting.com mailto:j...@ox-consulting.com www.ox-consulting.com http://www.ox-consulting.com OX CONSULTING Ltd is registered in England Wales, number: 07113039, registered address as above. The information contained in this email message may be privileged, confidential or exempt from disclosure under applicable law. If you are not the
[Freeipa-users] openldap to ipa
Hi There, This is driving me up the wall. I have two servers. 1 is a live openldap/kerberous AAA server running on RHEL6. The LDAP service has SSL/TS support. The second server is a test environment running on fedora and has 3.1 IPA installed. As a last step of my POC I need to migrate the users and passwords from the LDAP server to IPA server. I ran this command perfectly fine. ipa config-mod --enable-migration=TRUE However the next step was where my issues began. In the end after a lot of IRC communication and troubleshooting I now run the following command. ipa migrate-ds --bind-dn=cn=admin,dc=example,dc=com --user-container=ou=users,ou=live,dc=example,dc=com --group-container=ou=groups,ou=live,dc=example,dc=com ldaps:// ldap1.live.example.com I get the following error. ipa: DEBUG: Caught fault 4203 from server http://fedoraipaserver.test.example.com/ipa/xml: Can't contact LDAP server: TLS error -8179:Peer's Certificate issuer is not recognized. ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Can't contact LDAP server: TLS error -8179:Peer's Certificate issuer is not recognized. I have summarized that the IPA server does not trust the cert served by the openldap or the other way around. Does anyone know how to get around this? Or allow me to finish the migration of user data. Regards John -- Johnathan Phan T: +44 (0)784 118 7080 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] openldap to ipa
Try editing /etc/openldap/ldap.conf: TLS_CACERT /etc/ipa/ca.crt TLS_REQCERT allow See if that helps Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GIAC Exploit Researcher and Advanced Penetration Tester | GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ On Jan 11, 2013, at 8:05 AM, Johnathan Phan j...@ox-consulting.commailto:j...@ox-consulting.com wrote: Hi There, This is driving me up the wall. I have two servers. 1 is a live openldap/kerberous AAA server running on RHEL6. The LDAP service has SSL/TS support. The second server is a test environment running on fedora and has 3.1 IPA installed. As a last step of my POC I need to migrate the users and passwords from the LDAP server to IPA server. I ran this command perfectly fine. ipa config-mod --enable-migration=TRUE However the next step was where my issues began. In the end after a lot of IRC communication and troubleshooting I now run the following command. ipa migrate-ds --bind-dn=cn=admin,dc=example,dc=com --user-container=ou=users,ou=live,dc=example,dc=com --group-container=ou=groups,ou=live,dc=example,dc=com ldaps://ldap1.live.example.comhttp://ldap1.live.example.com/ I get the following error. ipa: DEBUG: Caught fault 4203 from server http://fedoraipaserver.test.example.com/ipa/xml: Can't contact LDAP server: TLS error -8179:Peer's Certificate issuer is not recognized. ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Can't contact LDAP server: TLS error -8179:Peer's Certificate issuer is not recognized. I have summarized that the IPA server does not trust the cert served by the openldap or the other way around. Does anyone know how to get around this? Or allow me to finish the migration of user data. Regards John -- Johnathan Phan T: +44 (0)784 118 7080 ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Openldap to IPA migration confusion
On 23/07/2012 3:33 PM, Rob Crittenden wrote: Qing Chang wrote: On 20/07/2012 5:14 PM, Rob Crittenden wrote: Qing Chang wrote: Greetings, Migration from OpedLDAP to IPA creates a pair of subtrees for both users and groups: compat and accounts, use groups as an example: dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca IPA web GUI does not show memberUid attribute, although it is migrated correctly, by adding a user to the group in the web GUI, it reveals that member is added to both compat and accounts, but differently: accounts: member: uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca compat: memberUid: qchang It also reveals that GUI does not display anything for compat tree, but I can use ldap tools to show compat entries. My questions: 1, why do we have two trees created? I vaguely remember that it is mentioned that compat is for support of IPA as an NIS proxy? cn=compat is a view of the data in rfc2307-compatible format (so memberUid instead of member). It isn't a separate copy. It is so clients that don't support 2307bis can still authenticate and identify users using nss_ldap. 2, Can the migration script be modified to convert memberUid to member for accounts tree? Or can I modify it manually and load the tree with ldapmod without breaking IPA? It already can, see the --schema option. it says: --schema=['RFC2307bis', 'RFC2307'] The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis I assume I am using the default. Does this mean that I should use RFC2307 instead? It does not make much sense to me because my OpenLDAP server is using RFC2307 if I understand your comments above right. If the LDAP server you are migrating from is using RFC2307 (e.g. memberUid in the groups to specify membership) then use --schema=RFC2307. You are specifying the remote schema, not the local schema. Indeed it is the remote schema, for future reference, this my command line: # ipa -d migrate-ds ldap://ldap:389 --bind-dn=cn=Manager,dc=... --group-container=ou=group --group-overwrite-gid --schema=RFC2307 --with-compat --group-objectclass=posixGroup rob Your help is much appreciated! Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Openldap to IPA migration confusion
On 20/07/2012 5:14 PM, Rob Crittenden wrote: Qing Chang wrote: Greetings, Migration from OpedLDAP to IPA creates a pair of subtrees for both users and groups: compat and accounts, use groups as an example: dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca IPA web GUI does not show memberUid attribute, although it is migrated correctly, by adding a user to the group in the web GUI, it reveals that member is added to both compat and accounts, but differently: accounts: member: uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca compat: memberUid: qchang It also reveals that GUI does not display anything for compat tree, but I can use ldap tools to show compat entries. My questions: 1, why do we have two trees created? I vaguely remember that it is mentioned that compat is for support of IPA as an NIS proxy? cn=compat is a view of the data in rfc2307-compatible format (so memberUid instead of member). It isn't a separate copy. It is so clients that don't support 2307bis can still authenticate and identify users using nss_ldap. 2, Can the migration script be modified to convert memberUid to member for accounts tree? Or can I modify it manually and load the tree with ldapmod without breaking IPA? It already can, see the --schema option. it says: --schema=['RFC2307bis', 'RFC2307'] The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis I assume I am using the default. Does this mean that I should use RFC2307 instead? It does not make much sense to me because my OpenLDAP server is using RFC2307 if I understand your comments above right. Thanks, Qing 3, What does Samba use, compat or accounts? I do have a Samba server setup as an IPA client and it works very well, but I don't seem to be able to find a place to specify either compat or accounts for user and group look up, I assume IPA client libraries take care of it. In fact there is no entries that are related to LDAP in my smb.conf, there is only a few lines related to IPA/Kerberos: = security = user passdb backend = smbpasswd # Kerberos options realm = SRI.UTORONTO.CA kerberos method = dedicated keytab dedicated keytab file = /etc/krb5.keytab = I'm not familiar with configure Samba with an ldap backend, maybe someone else will chime in. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Openldap to IPA migration confusion
Qing Chang wrote: On 20/07/2012 5:14 PM, Rob Crittenden wrote: Qing Chang wrote: Greetings, Migration from OpedLDAP to IPA creates a pair of subtrees for both users and groups: compat and accounts, use groups as an example: dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca IPA web GUI does not show memberUid attribute, although it is migrated correctly, by adding a user to the group in the web GUI, it reveals that member is added to both compat and accounts, but differently: accounts: member: uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca compat: memberUid: qchang It also reveals that GUI does not display anything for compat tree, but I can use ldap tools to show compat entries. My questions: 1, why do we have two trees created? I vaguely remember that it is mentioned that compat is for support of IPA as an NIS proxy? cn=compat is a view of the data in rfc2307-compatible format (so memberUid instead of member). It isn't a separate copy. It is so clients that don't support 2307bis can still authenticate and identify users using nss_ldap. 2, Can the migration script be modified to convert memberUid to member for accounts tree? Or can I modify it manually and load the tree with ldapmod without breaking IPA? It already can, see the --schema option. it says: --schema=['RFC2307bis', 'RFC2307'] The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis I assume I am using the default. Does this mean that I should use RFC2307 instead? It does not make much sense to me because my OpenLDAP server is using RFC2307 if I understand your comments above right. If the LDAP server you are migrating from is using RFC2307 (e.g. memberUid in the groups to specify membership) then use --schema=RFC2307. You are specifying the remote schema, not the local schema. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Openldap to IPA migration confusion
On 07/20/2012 04:56 PM, Qing Chang wrote: Greetings, Migration from OpedLDAP to IPA creates a pair of subtrees for both users and groups: compat and accounts, use groups as an example: dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca IPA web GUI does not show memberUid attribute, although it is migrated correctly, by adding a user to the group in the web GUI, it reveals that member is added to both compat and accounts, but differently: accounts: member: uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca compat: memberUid: qchang It also reveals that GUI does not display anything for compat tree, but I can use ldap tools to show compat entries. My questions: 1, why do we have two trees created? I vaguely remember that it is mentioned that compat is for support of IPA as an NIS proxy? Compat tree is a different view of the data stored in the main tree. Main tree follows schema defined by RFC 2307bis for users and groups. Compat displays same data in RFC 2307 format for clients that do not understand 2307bis schema (for example for Solaris clients). NIS uses compat tree for its data. Internal SUDO schema is also different from the standard for the benefits of the referential integrity so the external, standard schema is exposed via compat tree. 2, Can the migration script be modified to convert memberUid to member for accounts tree? Or can I modify it manually and load the tree with ldapmod without breaking IPA? It is not clear what you are trying to do. Main tree is already in the right format. Changing the data directly would not work. Please use ipa commands. You can point clients to either main tree or compat tree depending upon what schema they expect. You can also switch the compat tree completely. There is a command to do so added in 2.2. 3, What does Samba use, compat or accounts? I do have a Samba server setup as an IPA client and it works very well, but I don't seem to be able to find a place to specify either compat or accounts for user and group look up, I assume IPA client libraries take care of it. In fact there is no entries that are related to LDAP in my smb.conf, there is only a few lines related to IPA/Kerberos: Samba uses main tree but I do not think you configured anything other than authentication. It seems that samba is using a local back end. You need more info from samba gurus. You can catch them on irc on freenode.net or they might chime in here. = security = user passdb backend = smbpasswd # Kerberos options realm = SRI.UTORONTO.CA kerberos method = dedicated keytab dedicated keytab file = /etc/krb5.keytab = Thanks in advance! Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users