> On 17 Oct 2025, at 00:23, vectinx via 389-users > <[email protected]> wrote: > > Apparently, the function `memberof_del_dn_from_groups()` updates the `member` > attribute: > > /* Deletes a member DN from all groups that refer to it. */ > static int > memberof_del_dn_from_groups(Slapi_PBlock *pb, MemberOfConfig *config, > Slapi_DN *sdn) > > It uses the `memberofgroupattr` configuration parameter from the MemberOf > plugin: > > memberofgroupattr: member > memberofgroupattr: memberUser > memberofgroupattr: memberHost > memberofgroupattr: ipaOwner > > This function is called when deleting entries, including during deferred > updates: > https://github.com/389ds/389-ds-base/blob/main/ldap/servers/plugins/memberof/memberof.c#L644 > > --- > > Regarding the updates with CSNs `68edda59000000030000` and > `68edda59000100030000`: > At first, I also suspected that they were caused by the referential integrity > update replication. > However, after excluding the `member` attribute from referential integrity, > the duplicate modify operations still appear on both replicas. > > Here’s what I did to exclude `member` from the Referential Integrity plugin: > > ldapmodify -D "cn=Directory Manager" -W <<EOF > dn: cn=referential integrity postoperation,cn=plugins,cn=config > changetype: modify > delete: referint-membership-attr > referint-membership-attr: member > EOF > > Then I deleted the test user, and the result was: > > dbid: 68f0fb0d000000040000 > operation: delete > dn: uid=integrity-fix,cn=users,cn=accounts,dc=test,dc=loc > > dbid: 68f0fb0d000100040000 > operation: delete > dn: cn=integrity-fix,cn=groups,cn=accounts,dc=test,dc=loc > > dbid: 68f0fb0d000300040000 > operation: modify > dn: cn=ipausers,cn=groups,cn=accounts,dc=test,dc=loc > member: uid=integrity-fix,cn=users,cn=accounts,dc=test,dc=loc > modifiersName: cn=MemberOf Plugin,cn=plugins,cn=config > > dbid: 68f0fb0e000000030000 > operation: modify > dn: cn=ipausers,cn=groups,cn=accounts,dc=test,dc=loc > member: uid=integrity-fix,cn=users,cn=accounts,dc=test,dc=loc > modifiersName: cn=MemberOf Plugin,cn=plugins,cn=config > > As you can see, the duplicate `modify` operations on the group are triggered > by the MemberOf plugin itself, > even when the Referential Integrity plugin is excluded from handling the > `member` attribute. >
Seems like an issue where memberOf is trying to duplicate the behaviour of refint. refint should be responsible for cleaning up member attributes that are no longer needed - not memberOf. I'm not sure why this duplicate behaviour was added - tbordaz, what was the reason behind memberof cleaning up member attributes, not just memberOf? -- Sincerely, William Brown Senior Software Engineer, Identity and Access Management SUSE Labs, Australia
-- _______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
