On 23/04/2013 4:42 AM, Jakub Hrozek wrote:
On Mon, Apr 22, 2013 at 09:59:53AM -0400, Qing Chang wrote:
just for the record. This is considered solved.
When migrated from OpenLDAP to IPA, inactive user accounts were left out, but
some of the accounts were still in place as secondary group members of a certain
group (mri as example). Nonexistent "member" in "cn=groups,cn=accounts"
causes the lookup of group name to fail. After the removal of that account, the
lookup succeeds.
In looking at all group membership attributes of the group, it seems that the
removal of a "member" of "cn=groups,cn=accounts" (which is done in the Web GUI)
does not translate into the removal of "memberUid" of "cn=groups,cn=accounts",
as well "memberUid" of "cn=groups,cn=compat".
I would guess that the rfc2307 memberuid attributes would be removed/not
migrated and rfc2307bis member attributes would be used instead. But frankly,
you might get a more qualified answer on the freeipa-users list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Our OpenLDAP server was using rfc2307, I guess when migrated, both rfc2307 and
rfc2307bis
were used for "cn=groups,cn=accounts", as both memberUid and member were
created.
For "cn=groups,cn=compat", only memberUid exist.
When a test account is created and assigned to a group on IPA, for
"cn=groups,cn=accounts",
only rfc2307bis is used because only member is added for the assigned group.
Consistently for "cn=groups,cn=compat", only memberUid is added.
Removing the test account DOES remove the member and memberUid entries for that
account.
I think this is not a bug in IPA or SSSD, it is caused by migrating nonexistent
members of a group
that should not happen in the first place. Apologies...
I think I can also assume that it is safe to remove ALL memberUid entries for
"cn=groups,cn=accounts".
Regards,
Qing
It seems that "member" and "memberUid" attributes are not in sync. Is this
a normal behavior? Another curious situation is that sssd seems to be able to
get the name on some IPA clients not others, as mentioned in my first post...
As mentioned in my reply to the post, it shouldn't be that way and we
need the debug logs to analyze the situation.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
