On Mon, Apr 22, 2013 at 09:59:53AM -0400, Qing Chang wrote: > just for the record. This is considered solved. > > When migrated from OpenLDAP to IPA, inactive user accounts were left out, but > some of the accounts were still in place as secondary group members of a > certain > group (mri as example). Nonexistent "member" in "cn=groups,cn=accounts" > causes the lookup of group name to fail. After the removal of that account, > the > lookup succeeds. > > In looking at all group membership attributes of the group, it seems that the > removal of a "member" of "cn=groups,cn=accounts" (which is done in the Web > GUI) > does not translate into the removal of "memberUid" of "cn=groups,cn=accounts", > as well "memberUid" of "cn=groups,cn=compat". >
I would guess that the rfc2307 memberuid attributes would be removed/not migrated and rfc2307bis member attributes would be used instead. But frankly, you might get a more qualified answer on the freeipa-users list: https://www.redhat.com/mailman/listinfo/freeipa-users > It seems that "member" and "memberUid" attributes are not in sync. Is this > a normal behavior? Another curious situation is that sssd seems to be able to > get the name on some IPA clients not others, as mentioned in my first post... > As mentioned in my reply to the post, it shouldn't be that way and we need the debug logs to analyze the situation. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel