My goal is to use the compatibility plugin to display IPA hosts in a format that an Active
Directory centric tool can consume. Essentially my solution creates two containers under
cn=compat called cn=adComputers and cn=adComputerGroups. An entry is added to adComputers
for every ipaHost, and attributes populated that match active directory ldap attributes
for a 'computer' object. We do the same for each IPA hostgroup.
I have come pretty close to getting this working, but now I need to get the groups
populated with the group members, but not the IPA hosts... instead I need the members to
be the corresponding cn=adComputers entries that were created.
So I need to manipulate the members attribute. For example the member attribute of one of
the hostgroups in ipa is:
fqdn=test.lab.local,cn=computers,cn=accounts,dc=lab,dc=local
I need to change it to:
cn=test.lab.local,cn=adcomputers,cn=compat,dc=lab,dc=local
Below is my .update file. I want to add a line at the end like:
add:schema-compat-entry-attribute: member=%{member}
But want to rewrite the %{member} value as described above. I know I can do some logic
here, as evidenced by
https://pagure.io/freeipa/blob/master/f/install/updates/80-schema_compat.... where they
use %ifeq and %%%deref_f. But I cannot find any documentation explaining what options are
available. Essentially I am hoping there is some sort of regex manipulation capability
here?
My .update file so far:
dn: cn=adComputers, cn=Schema Compatibility, cn=plugins, cn=config
add:objectClass: top
add:objectClass: extensibleObject
add:cn: adComputers
add:schema-compat-container-group: cn=compat, $SUFFIX
add:schema-compat-container-rdn: cn=adComputers
add:schema-compat-search-base: cn=computers, cn=accounts, $SUFFIX
add:schema-compat-search-filter: (&(fqdn=*)(objectClass=ipaHost))
add:schema-compat-entry-rdn: cn=%first("%{fqdn}")
add:schema-compat-check-access: yes
add:schema-compat-entry-attribute: objectclass=computer
add:schema-compat-entry-attribute: cn=%{fqdn}
add:schema-compat-entry-attribute: sAMAccountType=805306369
add:schema-compat-entry-attribute: dNSHostName=%{fqdn}
add:schema-compat-entry-attribute: operatingSystem=%{nsHardwarePlatform}
add:schema-compat-entry-attribute: operatingSystemVersion=%{nsOsVersion}
add:schema-compat-entry-attribute: name=%{serverHostName}
add:schema-compat-entry-attribute: sAMAccountName=$$%{serverHostName}
add:schema-compat-entry-attribute: location=%{nsHostLocation}
dn: cn=adComputerGroups, cn=Schema Compatibility, cn=plugins, cn=config
add:objectClass: top
add:objectClass: extensibleObject
add:cn: adComputerGroups
add:schema-compat-container-group: cn=compat, $SUFFIX
add:schema-compat-container-rdn: cn=adComputerGroups
add:schema-compat-search-base: cn=hostgroups, cn=accounts, $SUFFIX
add:schema-compat-search-filter: (&(member=*)(objectClass=ipahostgroup))
add:schema-compat-entry-rdn: cn=%{cn}
add:schema-compat-entry-check-access: yes
add:schema-compat-entry-attribute: objectclass=group
add:schema-compat-entry-attribute: cn=%{cn}
add:schema-compat-entry-attribute: groupType=-2147483646
add:schema-compat-entry-attribute: sAMAccountType=268435456
add:schema-compat-entry-attribute: name=%{cn}
add:schema-compat-entry-attribute: sAMAccountName=$$%{cn}