On 04/24/2013 10:50 AM, Qing Chang wrote: > > On 23/04/2013 4:42 AM, Jakub Hrozek wrote: >> On Mon, Apr 22, 2013 at 09:59:53AM -0400, Qing Chang wrote: >>> just for the record. This is considered solved. >>> >>> When migrated from OpenLDAP to IPA, inactive user accounts were left >>> out, but >>> some of the accounts were still in place as secondary group members >>> of a certain >>> group (mri as example). Nonexistent "member" in "cn=groups,cn=accounts" >>> causes the lookup of group name to fail. After the removal of that >>> account, the >>> lookup succeeds. >>> >>> In looking at all group membership attributes of the group, it seems >>> that the >>> removal of a "member" of "cn=groups,cn=accounts" (which is done in >>> the Web GUI) >>> does not translate into the removal of "memberUid" of >>> "cn=groups,cn=accounts", >>> as well "memberUid" of "cn=groups,cn=compat". >>> >> I would guess that the rfc2307 memberuid attributes would be removed/not >> migrated and rfc2307bis member attributes would be used instead. But >> frankly, >> you might get a more qualified answer on the freeipa-users list: >> https://www.redhat.com/mailman/listinfo/freeipa-users > Our OpenLDAP server was using rfc2307, I guess when migrated, both > rfc2307 and rfc2307bis > were used for "cn=groups,cn=accounts", as both memberUid and member > were created. > For "cn=groups,cn=compat", only memberUid exist. > > When a test account is created and assigned to a group on IPA, for > "cn=groups,cn=accounts", > only rfc2307bis is used because only member is added for the assigned > group. > Consistently for "cn=groups,cn=compat", only memberUid is added. > > Removing the test account DOES remove the member and memberUid entries > for that account. > > I think this is not a bug in IPA or SSSD, it is caused by migrating > nonexistent members of a group > that should not happen in the first place. Apologies... > > I think I can also assume that it is safe to remove ALL memberUid > entries for > "cn=groups,cn=accounts".
Yes. > > Regards, > Qing > >>> It seems that "member" and "memberUid" attributes are not in sync. >>> Is this >>> a normal behavior? Another curious situation is that sssd seems to >>> be able to >>> get the name on some IPA clients not others, as mentioned in my >>> first post... >>> >> As mentioned in my reply to the post, it shouldn't be that way and we >> need the debug logs to analyze the situation. >> _______________________________________________ >> sssd-devel mailing list >> sssd-devel@lists.fedorahosted.org >> https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
