- fixup Rob's example, and remember that here documents need escapes escaped

9 files changed, 562 insertions, 0 deletions

diff --git a/tests/test20-schema-compat/after.sh b/tests/test20-schema-compat/after.sh
new file mode 100755
index 0000000..51124aa
--- /dev/null
+++ b/tests/test20-schema-compat/after.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+tmpfile=`mktemp ${TMP:-/tmp}/ldifXXXXXX`
+if test -z "$tmpfile" ; then
+	echo error creating temporary file
+fi
+trap 'rm -f "$tmpfile"' EXIT
+search -b cn=ng,cn=compat,dc=example,dc=com > $tmpfile
+$LDIFSORT $tmpfile
diff --git a/tests/test20-schema-compat/after.txt b/tests/test20-schema-compat/after.txt
new file mode 100644
index 0000000..7708554
--- /dev/null
+++ b/tests/test20-schema-compat/after.txt
@@ -0,0 +1,11 @@
+dn: cn=ng,cn=compat,dc=example,dc=com
+objectClass: extensibleObject
+cn: ng
+
+dn: cn=ng1,cn=ng,cn=compat,dc=example,dc=com
+objectClass: nisNetgroup
+objectClass: top
+nisNetgroupTriple: (external.example.com,tuser1,example.com)
+nisNetgroupTriple: (-,tuser2,example.com)
+cn: ng1
+
diff --git a/tests/test20-schema-compat/before.sh b/tests/test20-schema-compat/before.sh
new file mode 100755
index 0000000..51124aa
--- /dev/null
+++ b/tests/test20-schema-compat/before.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+tmpfile=`mktemp ${TMP:-/tmp}/ldifXXXXXX`
+if test -z "$tmpfile" ; then
+	echo error creating temporary file
+fi
+trap 'rm -f "$tmpfile"' EXIT
+search -b cn=ng,cn=compat,dc=example,dc=com > $tmpfile
+$LDIFSORT $tmpfile
diff --git a/tests/test20-schema-compat/before.txt b/tests/test20-schema-compat/before.txt
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/test20-schema-compat/before.txt
diff --git a/tests/test20-schema-compat/change.sh b/tests/test20-schema-compat/change.sh
new file mode 100755
index 0000000..ebd2624
--- /dev/null
+++ b/tests/test20-schema-compat/change.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+add << EOF
+dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
+changetype: add
+objectClass: top
+objectClass: extensibleObject
+cn: ng
+schema-compat-container-group: cn=compat, dc=example, dc=com
+schema-compat-container-rdn: cn=ng
+schema-compat-check-access: yes
+schema-compat-search-base: cn=ng,cn=alt,dc=example,dc=com
+schema-compat-search-filter: !(cn=ng)
+schema-compat-entry-rdn: cn=%{cn}
+schema-compat-entry-attribute: objectclass=nisNetgroup
+schema-compat-entry-attribute: memberNisNetgroup=%deref_r("member","cn")
+schema-compat-entry-attribute: memberNisNetgroup=%referred_r("cn=ng","memberOf","cn")
+schema-compat-entry-attribute: nisNetgroupTriple=(%link("%{externalHost}","-",",","%collect(\\"%deref_r(\\\\\\"memberUser\\\\\\",\\\\\\"uid\\\\\\")\\", \\"%deref_r(\\\\\\"memberUser\\\\\\",\\\\\\"member\\\\\\",\\\\\\"uid\\\\\\")\\")","-"),%{nisDomainName:-})
+
+EOF
diff --git a/tests/test20-schema-compat/change.txt b/tests/test20-schema-compat/change.txt
new file mode 100644
index 0000000..cfe2e16
--- /dev/null
+++ b/tests/test20-schema-compat/change.txt
@@ -0,0 +1,2 @@
+adding new entry "cn=ng,cn=Schema Compatibility,cn=plugins,cn=config"
+
diff --git a/tests/test20-schema-compat/description.txt b/tests/test20-schema-compat/description.txt
new file mode 100644
index 0000000..788dd60
--- /dev/null
+++ b/tests/test20-schema-compat/description.txt
@@ -0,0 +1 @@
+Rob's netgroups from bug #498432
diff --git a/tests/test20-schema-compat/dse.ldif b/tests/test20-schema-compat/dse.ldif
new file mode 100644
index 0000000..781c43a
--- /dev/null
+++ b/tests/test20-schema-compat/dse.ldif
@@ -0,0 +1,16 @@
+dn: cn=Membership,cn=plugins,cn=config
+objectClass: top
+objectClass: nsSlapdPlugin
+objectClass: extensibleObject
+cn: Membership
+nsslapd-pluginPath: libmemberof-plugin
+nsslapd-pluginInitfunc: memberof_postop_init
+nsslapd-pluginType: postoperation
+nsslapd-pluginEnabled: on
+nsslapd-pluginId: libmemberof
+nsslapd-pluginVersion: 1.1.3
+nsslapd-pluginVendor: Fedora Project
+nsslapd-pluginDescription: membership plugin
+memberOfAttr: memberOf
+memberOfGroupAttr: member
+
diff --git a/tests/test20-schema-compat/userRoot.ldif b/tests/test20-schema-compat/userRoot.ldif
new file mode 100644
index 0000000..7ed1c5b
--- /dev/null
+++ b/tests/test20-schema-compat/userRoot.ldif
@@ -0,0 +1,497 @@
+# users, accounts, example.com
+dn: cn=users,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: nsContainer
+cn: users
+
+# groups, accounts, example.com
+dn: cn=groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: nsContainer
+cn: groups
+
+# services, accounts, example.com
+dn: cn=services,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: nsContainer
+cn: services
+
+# account inactivation, accounts, example.com
+dn: cn=account inactivation,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: nsContainer
+cn: account inactivation
+
+# computers, accounts, example.com
+dn: cn=computers,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: nsContainer
+cn: computers
+
+# etc, example.com
+dn: cn=etc,dc=example,dc=com
+objectClass: nsContainer
+objectClass: top
+cn: etc
+
+# sysaccounts, etc, example.com
+dn: cn=sysaccounts,cn=etc,dc=example,dc=com
+objectClass: nsContainer
+objectClass: top
+cn: sysaccounts
+
+# ipa, etc, example.com
+dn: cn=ipa,cn=etc,dc=example,dc=com
+objectClass: nsContainer
+objectClass: top
+cn: ipa
+
+# masters, ipa, etc, example.com
+dn: cn=masters,cn=ipa,cn=etc,dc=example,dc=com
+objectClass: nsContainer
+objectClass: top
+cn: masters
+
+# admin, users, accounts, example.com
+dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: person
+objectClass: posixAccount
+objectClass: KrbPrincipalAux
+objectClass: inetUser
+uid: admin
+krbPrincipalName: admin@EXAMPLE.COM
+cn: Administrator
+sn: Administrator
+uidNumber: 999
+gidNumber: 1001
+homeDirectory: /home/admin
+loginShell: /bin/bash
+gecos: Administrator
+memberOf: cn=admins,cn=groups,cn=accounts,dc=example,dc=com
+krbLastPwdChange: 20090429214740Z
+krbPasswordExpiration: 20090728214740Z
+
+# admins, groups, accounts, example.com
+dn: cn=admins,cn=groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: groupofnames
+objectClass: posixGroup
+cn: admins
+description: Account administrators group
+gidNumber: 1001
+member: uid=admin,cn=users,cn=accounts,dc=example,dc=com
+
+# ipausers, groups, accounts, example.com
+dn: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: groupofnames
+objectClass: nestedGroup
+objectClass: ipaUserGroup
+objectClass: posixGroup
+gidNumber: 1002
+description: Default group for all users
+cn: ipausers
+member: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
+member: uid=tuser2,cn=users,cn=accounts,dc=example,dc=com
+
+# editors, groups, accounts, example.com
+dn: cn=editors,cn=groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: groupofnames
+objectClass: posixGroup
+gidNumber: 1003
+description: Limited admins who can edit other users
+cn: editors
+
+# ipaConfig, etc, example.com
+dn: cn=ipaConfig,cn=etc,dc=example,dc=com
+objectClass: nsContainer
+objectClass: top
+objectClass: ipaGuiConfig
+ipaUserSearchFields: uid,givenName,sn,telephoneNumber,ou,title
+ipaGroupSearchFields: cn,description
+ipaSearchTimeLimit: 2
+ipaSearchRecordsLimit: 0
+ipaHomesRootDir: /home
+ipaDefaultLoginShell: /bin/sh
+ipaDefaultPrimaryGroup: ipausers
+ipaMaxUsernameLength: 8
+ipaPwdExpAdvNotify: 4
+ipaGroupObjectClasses: top
+ipaGroupObjectClasses: groupofnames
+ipaGroupObjectClasses: nestedGroup
+ipaGroupObjectClasses: ipaUserGroup
+ipaUserObjectClasses: top
+ipaUserObjectClasses: person
+ipaUserObjectClasses: organizationalPerson
+ipaUserObjectClasses: inetOrgPerson
+ipaUserObjectClasses: inetUser
+ipaUserObjectClasses: posixAccount
+ipaUserObjectClasses: krbPrincipalAux
+ipaUserObjectClasses: radiusprofile
+ipaDefaultEmailDomain: example.com
+cn: ipaConfig
+
+# cosTemplates, accounts, example.com
+dn: cn=cosTemplates,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: nsContainer
+cn: cosTemplates
+
+# cn\3Dinactivated\2Ccn\3Daccount inactivation\2Ccn\3Daccounts\2Cdc\3Dexample
+ \2Cdc\3Dcom, cosTemplates, accounts, example.com
+dn: cn="cn=inactivated,cn=account inactivation,cn=accounts,dc=example,dc=com",
+ cn=cosTemplates,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: cosTemplate
+objectClass: extensibleobject
+cosPriority: 1
+cn: "cn=inactivated,cn=account inactivation,cn=accounts,dc=example,dc=com"
+
+# inactivated, account inactivation, accounts, example.com
+dn: cn=inactivated,cn=account inactivation,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: groupofnames
+cn: inactivated
+
+# cn\3Dactivated\2Ccn\3Daccount inactivation\2Ccn\3Daccounts\2Cdc\3Dexample\2
+ Cdc\3Dcom, cosTemplates, accounts, example.com
+dn: cn="cn=activated,cn=account inactivation,cn=accounts,dc=example,dc=com",cn
+ =cosTemplates,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: cosTemplate
+objectClass: extensibleobject
+cosPriority: 0
+cn: "cn=activated,cn=account inactivation,cn=accounts,dc=example,dc=com"
+
+# Activated, Account Inactivation, accounts, example.com
+dn: cn=Activated,cn=Account Inactivation,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: groupofnames
+cn: Activated
+
+# luna.example.com, masters, ipa, etc, example.com
+dn: cn=luna.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
+objectClass: top
+objectClass: extensibleObject
+cn: luna.example.com
+dnabase: 1100
+dnainterval: 4
+
+# kdc, sysaccounts, etc, example.com
+dn: uid=kdc,cn=sysaccounts,cn=etc,dc=example,dc=com
+objectClass: account
+objectClass: top
+uid: kdc
+
+# kerberos, example.com
+dn: cn=kerberos,dc=example,dc=com
+objectClass: krbContainer
+objectClass: top
+cn: kerberos
+
+# EXAMPLE.COM, kerberos, example.com
+dn: cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
+cn: EXAMPLE.COM
+objectClass: top
+objectClass: krbrealmcontainer
+objectClass: krbticketpolicyaux
+krbSubTrees: dc=example,dc=com
+krbSearchScope: 2
+krbSupportedEncSaltTypes: aes256-cts:normal
+krbSupportedEncSaltTypes: aes128-cts:normal
+krbSupportedEncSaltTypes: des3-hmac-sha1:normal
+krbSupportedEncSaltTypes: arcfour-hmac:normal
+krbSupportedEncSaltTypes: des-hmac-sha1:normal
+krbSupportedEncSaltTypes: des-cbc-md5:normal
+krbSupportedEncSaltTypes: des-cbc-crc:normal
+krbSupportedEncSaltTypes: des-cbc-crc:v4
+krbSupportedEncSaltTypes: des-cbc-crc:afs3
+krbDefaultEncSaltTypes: aes256-cts:normal
+krbDefaultEncSaltTypes: aes128-cts:normal
+krbDefaultEncSaltTypes: des3-hmac-sha1:normal
+krbDefaultEncSaltTypes: arcfour-hmac:normal
+krbDefaultEncSaltTypes: des-hmac-sha1:normal
+krbDefaultEncSaltTypes: des-cbc-md5:normal
+
+# K/M@EXAMPLE.COM, EXAMPLE.COM, kerberos, example.com
+dn: krbprincipalname=K/M@EXAMPLE.COM,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=
+ com
+krbMaxTicketLife: 604800
+krbMaxRenewableAge: 1209600
+krbTicketFlags: 192
+krbPrincipalName: K/M@EXAMPLE.COM
+krbPrincipalExpiration: 19700101000000Z
+krbLastPwdChange: 19700101000000Z
+krbExtraData:: AALOyvhJZGJfY3JlYXRpb25AR1JFWU9BSy5DT00A
+krbExtraData:: AAcBAAIAAgAAAK2gyrk=
+objectClass: krbprincipal
+objectClass: krbprincipalaux
+objectClass: krbTicketPolicyAux
+objectClass: top
+
+# krbtgt/EXAMPLE.COM@EXAMPLE.COM, EXAMPLE.COM, kerberos, example.com
+dn: krbprincipalname=krbtgt/EXAMPLE.COM@EXAMPLE.COM,cn=EXAMPLE.COM,cn=kerberos
+ ,dc=example,dc=com
+krbMaxTicketLife: 604800
+krbMaxRenewableAge: 1209600
+krbTicketFlags: 0
+krbPrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
+krbPrincipalExpiration: 19700101000000Z
+krbLastPwdChange: 19700101000000Z
+krbExtraData:: AALOyvhJZGJfY3JlYXRpb25AR1JFWU9BSy5DT00A
+krbExtraData:: AAcBAAIAAgAAAK2gyrk=
+objectClass: krbprincipal
+objectClass: krbprincipalaux
+objectClass: krbTicketPolicyAux
+objectClass: top
+
+# kadmin/admin@EXAMPLE.COM, EXAMPLE.COM, kerberos, example.com
+dn: krbprincipalname=kadmin/admin@EXAMPLE.COM,cn=EXAMPLE.COM,cn=kerberos,dc=ex
+ ample,dc=com
+krbMaxTicketLife: 10800
+krbMaxRenewableAge: 1209600
+krbTicketFlags: 4
+krbPrincipalName: kadmin/admin@EXAMPLE.COM
+krbPrincipalExpiration: 19700101000000Z
+krbLastPwdChange: 19700101000000Z
+krbExtraData:: AALOyvhJZGJfY3JlYXRpb25AR1JFWU9BSy5DT00A
+krbExtraData:: AAcBAAIAAnRLLkNPTQA=
+objectClass: krbprincipal
+objectClass: krbprincipalaux
+objectClass: krbTicketPolicyAux
+objectClass: top
+
+# kadmin/changepw@EXAMPLE.COM, EXAMPLE.COM, kerberos, example.com
+dn: krbprincipalname=kadmin/changepw@EXAMPLE.COM,cn=EXAMPLE.COM,cn=kerberos,dc
+ =example,dc=com
+krbMaxTicketLife: 300
+krbMaxRenewableAge: 1209600
+krbTicketFlags: 8324
+krbPrincipalName: kadmin/changepw@EXAMPLE.COM
+krbPrincipalExpiration: 19700101000000Z
+krbLastPwdChange: 20090429214657Z
+krbExtraData:: AALRyvhJYWRtaW4vYWRtaW5AR1JFWU9BSy5DT00A
+krbExtraData:: AAcBAAIAAnRLLkNPTQA=
+objectClass: krbprincipal
+objectClass: krbprincipalaux
+objectClass: krbTicketPolicyAux
+objectClass: top
+krbPasswordExpiration: 19700101000000Z
+
+# kadmin/history@EXAMPLE.COM, EXAMPLE.COM, kerberos, example.com
+dn: krbprincipalname=kadmin/history@EXAMPLE.COM,cn=EXAMPLE.COM,cn=kerberos,dc=
+ example,dc=com
+krbMaxTicketLife: 604800
+krbMaxRenewableAge: 1209600
+krbTicketFlags: 0
+krbPrincipalName: kadmin/history@EXAMPLE.COM
+krbPrincipalExpiration: 19700101000000Z
+krbLastPwdChange: 19700101000000Z
+krbExtraData:: AALOyvhJZGJfY3JlYXRpb25AR1JFWU9BSy5DT00A
+krbExtraData:: AAcBAAIAAnRLLkNPTQA=
+objectClass: krbprincipal
+objectClass: krbprincipalaux
+objectClass: krbTicketPolicyAux
+objectClass: top
+
+# kadmin/luna.example.com@EXAMPLE.COM, EXAMPLE.COM, kerberos, example.com
+dn: krbprincipalname=kadmin/luna.example.com@EXAMPLE.COM,cn=EXAMPLE.COM,cn=ker
+ beros,dc=example,dc=com
+krbMaxTicketLife: 10800
+krbMaxRenewableAge: 1209600
+krbTicketFlags: 4
+krbPrincipalName: kadmin/luna.example.com@EXAMPLE.COM
+krbPrincipalExpiration: 19700101000000Z
+krbLastPwdChange: 19700101000000Z
+krbExtraData:: AALOyvhJZGJfY3JlYXRpb25AR1JFWU9BSy5DT00A
+krbExtraData:: AAcBAAIAAgAcAHAaybk=
+objectClass: krbprincipal
+objectClass: krbprincipalaux
+objectClass: krbTicketPolicyAux
+objectClass: top
+
+# ldap/luna.example.com@EXAMPLE.COM, EXAMPLE.COM, kerberos, example.com
+dn: krbprincipalname=ldap/luna.example.com@EXAMPLE.COM,cn=EXAMPLE.COM,cn=kerbe
+ ros,dc=example,dc=com
+krbTicketFlags: 0
+krbPrincipalName: ldap/luna.example.com@EXAMPLE.COM
+krbLastPwdChange: 20090429214655Z
+krbExtraData:: AALPyvhJYWRtaW4vYWRtaW5AR1JFWU9BSy5DT00A
+objectClass: krbprincipal
+objectClass: krbprincipalaux
+objectClass: krbTicketPolicyAux
+objectClass: top
+krbPasswordExpiration: 19700101000000Z
+
+# host/luna.example.com@EXAMPLE.COM, EXAMPLE.COM, kerberos, example.com
+dn: krbprincipalname=host/luna.example.com@EXAMPLE.COM,cn=EXAMPLE.COM,cn=kerbe
+ ros,dc=example,dc=com
+krbTicketFlags: 0
+krbPrincipalName: host/luna.example.com@EXAMPLE.COM
+krbLastPwdChange: 20090429214656Z
+krbExtraData:: AALQyvhJYWRtaW4vYWRtaW5AR1JFWU9BSy5DT00A
+objectClass: krbprincipal
+objectClass: krbprincipalaux
+objectClass: krbTicketPolicyAux
+objectClass: top
+krbPasswordExpiration: 19700101000000Z
+
+# HTTP/luna.example.com@EXAMPLE.COM, EXAMPLE.COM, kerberos, example.com
+dn: krbprincipalname=HTTP/luna.example.com@EXAMPLE.COM,cn=EXAMPLE.COM,cn=kerbe
+ ros,dc=example,dc=com
+krbTicketFlags: 0
+krbPrincipalName: HTTP/luna.example.com@EXAMPLE.COM
+krbLastPwdChange: 20090429214658Z
+krbExtraData:: AALSyvhJYWRtaW4vYWRtaW5AR1JFWU9BSy5DT00A
+objectClass: krbprincipal
+objectClass: krbprincipalaux
+objectClass: krbTicketPolicyAux
+objectClass: top
+krbPasswordExpiration: 19700101000000Z
+
+# profile, example.com
+dn: ou=profile,dc=example,dc=com
+objectClass: top
+objectClass: organizationalUnit
+ou: profiles
+ou: profile
+
+# automount, example.com
+dn: cn=automount,dc=example,dc=com
+objectClass: nsContainer
+objectClass: top
+cn: automount
+
+# alt, example.com
+dn: cn=alt,dc=example,dc=com
+objectClass: nsContainer
+objectClass: top
+cn: alt
+
+# policies, example.com
+dn: cn=policies,dc=example,dc=com
+objectClass: nsContainer
+objectClass: ipaContainer
+objectClass: top
+cn: policies
+description: Root of the policy related sub tree
+
+# replication, etc, example.com
+dn: cn=replication,cn=etc,dc=example,dc=com
+objectClass: nsDS5Replica
+objectClass: top
+nsDS5ReplicaId: 3
+nsDS5ReplicaRoot: dc=example,dc=com
+cn: replication
+
+# auto.master, automount, example.com
+dn: automountmapname=auto.master,cn=automount,dc=example,dc=com
+objectClass: automountMap
+objectClass: top
+automountMapName: auto.master
+
+# auto.direct, automount, example.com
+dn: automountmapname=auto.direct,cn=automount,dc=example,dc=com
+objectClass: automountMap
+objectClass: top
+automountMapName: auto.direct
+
+# hostgroups, accounts, example.com
+dn: cn=hostgroups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: nsContainer
+cn: hostgroups
+
+# ng, alt, example.com
+dn: cn=ng,cn=alt,dc=example,dc=com
+objectClass: nsContainer
+objectClass: top
+cn: ng
+
+# configs, policies, example.com
+dn: cn=configs,cn=policies,dc=example,dc=com
+objectClass: nsContainer
+objectClass: ipaContainer
+objectClass: top
+cn: configs
+description: Root of the sub tree that holds configuration policies for differ
+ ent applications
+
+# roles, policies, example.com
+dn: cn=roles,cn=policies,dc=example,dc=com
+objectClass: nsContainer
+objectClass: ipaContainer
+objectClass: top
+cn: roles
+description: Root of the sub tree that holds role management data
+
+# b9fc6504-3507-11de-9c63-005056138082, ng, alt, example.com
+dn: ipauniqueid=b9fc6504-3507-11de-9c63-005056138082,cn=ng,cn=alt,dc=example,d
+ c=com
+objectClass: top
+objectClass: ipaAssociation
+objectClass: ipaNISNetgroup
+ipaUniqueID: b9fc6504-3507-11de-9c63-005056138082
+cn: ng1
+nisDomainName: example.com
+description: ng1
+memberUser: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
+memberUser: uid=tuser2,cn=users,cn=accounts,dc=example,dc=com
+memberUser: cn=g1,cn=groups,cn=accounts,dc=example,dc=com
+externalHost: external.example.com
+
+# tuser1, users, accounts, example.com
+dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
+uid: tuser1
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: inetUser
+objectClass: posixAccount
+objectClass: krbPrincipalAux
+objectClass: radiusprofile
+loginShell: /bin/sh
+gidNumber: 1002
+gecos: tuser1
+sn: User
+homeDirectory: /home/tuser1
+krbPrincipalName: tuser1@EXAMPLE.COM
+givenName: Tim
+cn: Tim User
+uidNumber: 1100
+memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
+
+# tuser2, users, accounts, example.com
+dn: uid=tuser2,cn=users,cn=accounts,dc=example,dc=com
+uid: tuser2
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: inetUser
+objectClass: posixAccount
+objectClass: krbPrincipalAux
+objectClass: radiusprofile
+loginShell: /bin/sh
+gidNumber: 1002
+gecos: tuser2
+sn: User
+homeDirectory: /home/tuser2
+krbPrincipalName: tuser2@EXAMPLE.COM
+givenName: Timmy
+cn: Timmy User
+uidNumber: 1101
+memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
+
+# g1, groups, accounts, example.com
+dn: cn=g1,cn=groups,cn=accounts,dc=example,dc=com
+objectClass: top
+objectClass: groupofnames
+objectClass: nestedGroup
+objectClass: ipaUserGroup
+cn: g1
+description: g1
+