A few months ago, using IPA 4.8.7, I imported users and groups from
OpenLDAP:
ipa -v migrate-ds --with-compat \
--bind-dn="cn=Manager,dc=example,dc=com" \
--user-container="ou=People,dc=example,dc=com" \
--user-objectclass="posixAccount" \
--group-container="ou=Group,dc=example,dc=com" \
--group-objectclass="posixGroup" \
--group-overwrite-gid \
--schema=RFC2307 \
ldap://openldap-server:389
Now, I've found a problem...
In addition to the expected "member" attribute list on the group dn, I
also have a memberUid attribute list. These memberUid attributes are
not created when using IPA to assign users to groups, just during my import.
An imported user:
dn: cn=wahoo,cn=groups,cn=accounts,dc=example,dc=com
member: uid=fred,cn=users,cn=accounts,dc=example,dc=com
memberUid: fred
dn: cn=wahoo,cn=groups,cn=compat,dc=example,dc=com
memberUid: fred
So, no harm done yet. Then I remove fred from the group wahoo. And I
end up with this:
dn: cn=wahoo,cn=groups,cn=accounts,dc=example,dc=com
memberUid: fred
dn: cn=wahoo,cn=groups,cn=compat,dc=example,dc=com
memberUid: fred
Now, anything pointing to my compat tree, still thinks fred is in the
wahoo group.
The solution is removing the memberUids from the
cn=groups,cn=accounts,dc=example,dc=com tree, and the compat tree
automatically reflects that change.
Question:
Is this a bug or did I do something wrong on the import?
Thanks,
Scott
PS- If someone else runs into this, I hope I saved you time.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure