Scott Serr via FreeIPA-users wrote: > A few months ago, using IPA 4.8.7, I imported users and groups from > OpenLDAP: > > ipa -v migrate-ds --with-compat \ > --bind-dn="cn=Manager,dc=example,dc=com" \ > --user-container="ou=People,dc=example,dc=com" \ > --user-objectclass="posixAccount" \ > --group-container="ou=Group,dc=example,dc=com" \ > --group-objectclass="posixGroup" \ > --group-overwrite-gid \ > --schema=RFC2307 \ > ldap://openldap-server:389 > > Now, I've found a problem... > > In addition to the expected "member" attribute list on the group dn, I > also have a memberUid attribute list. These memberUid attributes are > not created when using IPA to assign users to groups, just during my import. > > An imported user: > > dn: cn=wahoo,cn=groups,cn=accounts,dc=example,dc=com > member: uid=fred,cn=users,cn=accounts,dc=example,dc=com > memberUid: fred > > dn: cn=wahoo,cn=groups,cn=compat,dc=example,dc=com > memberUid: fred > > So, no harm done yet. Then I remove fred from the group wahoo. And I > end up with this: > > dn: cn=wahoo,cn=groups,cn=accounts,dc=example,dc=com > memberUid: fred > > dn: cn=wahoo,cn=groups,cn=compat,dc=example,dc=com > memberUid: fred > > Now, anything pointing to my compat tree, still thinks fred is in the > wahoo group. > > The solution is removing the memberUids from the > cn=groups,cn=accounts,dc=example,dc=com tree, and the compat tree > automatically reflects that change. > > Question: > Is this a bug or did I do something wrong on the import?
It seems that the memberuid are converted into member but then the attribute isn't dropped. If you pass in --group-ignore-attribute=memberuid that will probably do it as the conversion happens before the attribute is dropped. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
