[Freeipa-users] cache invalidation dilema on the clients

2021-06-25 Thread iulian roman via FreeIPA-users
Hello, I tried for some time to understand how the cache invalidation works on the clients, and I have to admit that I am even more confused that when I started, therefore I would like to ask if there is someone who can either explain or point me to the relevant documentation. I'll describe b

[Freeipa-users] compat branch not browseable

2021-06-25 Thread Joseph Fry via FreeIPA-users
I am just curious why the cn=compat,dc=mydomain,dc=org container cannot be reached when I bind to dc=mydomain,dc=org, but I can see it if I bind directly to it. Is there any way to expose it? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedora

[Freeipa-users] Re: compat branch not browseable

2021-06-25 Thread Rob Crittenden via FreeIPA-users
Joseph Fry via FreeIPA-users wrote: > I am just curious why the cn=compat,dc=mydomain,dc=org container cannot be > reached when I bind to dc=mydomain,dc=org, but I can see it if I bind > directly to it. Is there any way to expose it? Can't see it with what? It's a virtual tree, more of a backe

[Freeipa-users] Re: compat branch not browseable

2021-06-25 Thread Joseph Fry via FreeIPA-users
> Joseph Fry via FreeIPA-users wrote: > > Can't see it with what? > > It's a virtual tree, more of a backend than a subtree. > > rob I think I am getting closer. If I bind using the admin account... I can see the compat container when I bind to the root. However when I use the bind account I

[Freeipa-users] Re: compat branch not browseable

2021-06-25 Thread Rob Crittenden via FreeIPA-users
Joseph Fry via FreeIPA-users wrote: >> Joseph Fry via FreeIPA-users wrote: >> >> Can't see it with what? >> >> It's a virtual tree, more of a backend than a subtree. >> >> rob > I think I am getting closer. If I bind using the admin account... I can see > the compat container when I bind to the r

[Freeipa-users] Re: compat branch not browseable

2021-06-25 Thread Joseph Fry via FreeIPA-users
> Joseph Fry via FreeIPA-users wrote: > > What problem are you trying to solve? > > rob I am working on creating my own .update file for the compatibility plugin that will populate the compat container with two new containers holding devices and device groups with the objects within in a forma

[Freeipa-users] Compatibility Plugin .update file for Active Directory

2021-06-25 Thread Joseph Fry via FreeIPA-users
My goal is to use the compatibility plugin to display IPA hosts in a format that an Active Directory centric tool can consume. Essentially my solution creates two containers under cn=compat called cn=adComputers and cn=adComputerGroups. An entry is added to adComputers for every ipaHost, and

[Freeipa-users] Re: Compatibility Plugin .update file for Active Directory

2021-06-25 Thread Joseph Fry via FreeIPA-users
Sorry for replying to myself... I think I found the reference I needed. Seen this page 100 times, and I guess I didn't read far enough down. https://www.freeipa.org/page/FreeIPAv2:Schema_Compatibility_Plug-in_Design#deref.28THISATTRIBUTE.2CTHATATTRIBUTE.29 ___

[Freeipa-users] Re: Compatibility Plugin .update file for Active Directory

2021-06-25 Thread Joseph Fry via FreeIPA-users
Replying to myself again... sorry. While that reference is helpful, its incomplete. https://pagure.io/freeipa/raw/master/f/install/updates/80-schema_compat.update shows several directives that are not described. %deref_f %deref_rf %link %collect Is there better documentation of this template

[Freeipa-users] Re: Compatibility Plugin .update file for Active Directory

2021-06-25 Thread Joseph Fry via FreeIPA-users
Well, I managed to figure out the %deref_r directive is what I was looking for and got my update file working. I am posting it here for anyone who wants to do the same. Its actually pretty simple... just creates two containers in compat, one contains pseudo entries for every host, and the othe