slapi-nis: update configuration to allow external members of IPA groups

Currently in an environment with trust to AD the compat tree does not
show AD users as members of IPA groups. The reason is that IPA groups
are read directly from the IPA DS tree and external groups are not
handled.

slapi-nis project has added support for it in 0.55, make sure we update
configuration for the group map if it exists and depend on 0.55 version.

https://fedorahosted.org/freeipa/ticket/4403

Reviewed-By: Tomas Babej <tbabej@redhat.com>

3 files changed, 5 insertions, 1 deletions

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 40162a971..4cbc65819 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -153,7 +153,7 @@ Requires(pre): systemd-units
 Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
-Requires: slapi-nis >= 0.54.2-1
+Requires: slapi-nis >= 0.55-1
 Requires: pki-ca >= 10.2.6-13
 Requires: pki-kra >= 10.2.6-13
 Requires(preun): python systemd-units
diff --git a/install/updates/50-externalmembers.update b/install/updates/50-externalmembers.update
new file mode 100644
index 000000000..6b9c5dd23
--- /dev/null
+++ b/install/updates/50-externalmembers.update
@@ -0,0 +1,3 @@
+dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
+addifexist: schema-compat-entry-attribute: ipaexternalmember=%deref_r("member","ipaexternalmember")
+addifexist: schema-compat-entry-attribute: objectclass=ipaexternalgroup
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index b04ab48a0..3edc21473 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -45,6 +45,7 @@ app_DATA =				\
 	50-krbenctypes.update		\
 	50-nis.update			\
 	50-ipaconfig.update		\
+	50-externalmembers.update	\
 	55-pbacmemberof.update		\
 	59-trusts-sysacount.update	\
 	60-trusts.update		\