Well, I managed to figure out the %deref_r directive is what I was looking for and got my
update file working. I am posting it here for anyone who wants to do the same. Its
actually pretty simple... just creates two containers in compat, one contains pseudo
entries for every host, and the other contains psudo entries for every hostgroup with the
member attribute (pointing to the corresponding pseudo host entries). I'm sure it can
be improved, but it looks like it meets my needs in early testing.
Just save to a file and run "ipa-ldap-updater <filename>" and your dumb
AD-only tool can ingest the devices (or at least mine can, you may need to bring over some
other attributes).
# Delete the adcomputers and adcomputergroups containers. Not really necessary but
# its useful to start with a clean slate during testing, as updating things can lead
# some strangeness
dn: cn=adcomputers, cn=Schema Compatibility, cn=plugins, cn=config
deleteentry:
dn: cn=adcomputergroups, cn=Schema Compatibility, cn=plugins, cn=config
deleteentry:
# Create the adcomputers container and map the objects and attributes from the ipaHosts
# Note: This will bring every host in, though it could be filtered with the search-filter
# below if desired.
dn: cn=adcomputers, cn=Schema Compatibility, cn=plugins, cn=config
default:objectClass: top
default:objectClass: extensibleObject
default:cn: adcomputers
default:schema-compat-container-group: cn=compat, $SUFFIX
default:schema-compat-container-rdn: cn=adcomputers
default:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX
default:schema-compat-search-filter: (&(fqdn=*)(objectClass=ipaHost))
default:schema-compat-entry-rdn: cn=%first("%{fqdn}")
default:schema-compat-check-access: yes
default:schema-compat-entry-attribute: objectclass=computer
default:schema-compat-entry-attribute: cn=%{fqdn}
default:schema-compat-entry-attribute: sAMAccountType=805306369
default:schema-compat-entry-attribute: dNSHostName=%{fqdn}
default:schema-compat-entry-attribute: operatingSystem=%{nsOsVersion}
default:schema-compat-entry-attribute: name=%{serverHostName}
default:schema-compat-entry-attribute: sAMAccountName=$$%{serverHostName}
default:schema-compat-entry-attribute: location=%{nsHostLocation}
# Create the adcomputergroups container and map the relevant attributes from the
ipahostgroups
dn: cn=adcomputergroups, cn=Schema Compatibility, cn=plugins, cn=config
default:objectClass: top
default:objectClass: extensibleObject
default:cn: adcomputergroups
default:schema-compat-container-group: cn=compat, $SUFFIX
default:schema-compat-container-rdn: cn=adcomputergroups
default:schema-compat-search-base: cn=hostgroups, cn=accounts, $SUFFIX
default:schema-compat-search-filter: (&(member=*)(objectClass=ipahostgroup))
default:schema-compat-entry-rdn: cn=%{cn}
default:schema-compat-entry-check-access: yes
default:schema-compat-entry-attribute: objectclass=group
default:schema-compat-entry-attribute: objectclass=groupOfNames
default:schema-compat-entry-attribute: cn=%{cn}
default:schema-compat-entry-attribute:
distinguishedName=cn=%{cn},cn=adcomputergroups,cn=compat,$SUFFIX
#default:schema-compat-entry-attribute: groupType=-2147483650
#default:schema-compat-entry-attribute: sAMAccountType=268435456
default:schema-compat-entry-attribute: name=%{cn}
default:schema-compat-entry-attribute:
member=cn=%deref_r("member","fqdn"),cn=adcomputers,cn=compat,$SUFFIX
#default:schema-compat-entry-attribute: sAMAccountName=%{cn}