On to, 15 heinä 2021, Joseph Fry via FreeIPA-users wrote:
So I provided the solution detailed above to my customer and they are
putting it through its paces. One thing they noticed was that the
directory errors log (e.g. /var/log/dirsrv/slapd-LAB-LOCAL/errors) is
reporting an unknown object class:
[15/Jul/2021:15:09:15.046703678 -0400] - ERR - slapi_entry_schema_check_ext - Entry
"cn=test.lab.local,cn=adcomputers,cn=compat,dc=lab,dc=local" has unknown object
class "computer"
[15/Jul/2021:15:09:15.096309439 -0400] - ERR - slapi_entry_schema_check_ext - Entry
"cn=testgroup,cn=adcomputergroups,cn=compat,dc=lab,dc=local" has unknown object
class "group"
I understand that those object classes aren't in the IPA schema, but I
thought that the whole point of the compatibility plugin was to make
things compatible with other schema's without actually modifying the
schema. Is there a way to resolve this, or at least suppress the
errors? Everything seems functional otherwise.
389-ds enforces schema compliance regardless of what you want to
represent to LDAP clients. There are two ways to solve this problem:
- introduce proper LDAP object classes to the schema
- use extensibleobject objectclass in the netry
As you'll find, introducing AD schema is almost impossible if you want
to serve IPA schema in the same LDAP instance, so you may want to add
objectclass 'extensibleObject' to your definitions.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland