And after a bit more hacking around, I seem to have hit on the answer. For one thing, the way I wrote it wouldn't work because the dn_container would have been wrong anyway (previously it worked because users are in the same container as other users, but in this case it would fail since the object's container is that of a host). Some of the values here are hard coded now, which is probably not good practice, but as this is my plugin for my environment I'm going to give myself a break on it.
I still need to write an error handler in the case of a user account being deleted and a host "owned" by that user still exists, so that one doesn't have to go to LDAP to deal with the entry, but compared to the amount of iterations this took, that should be easy :D For those interested: http://www.astro.princeton.edu/~huston/astrocustom/astrocustom.1546.py.html -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project