On Wed, Apr 24, 2013 at 10:50:34AM -0400, Qing Chang wrote: > > On 23/04/2013 4:42 AM, Jakub Hrozek wrote: > >On Mon, Apr 22, 2013 at 09:59:53AM -0400, Qing Chang wrote: > >>just for the record. This is considered solved. > >> > >>When migrated from OpenLDAP to IPA, inactive user accounts were left out, > >>but > >>some of the accounts were still in place as secondary group members of a > >>certain > >>group (mri as example). Nonexistent "member" in "cn=groups,cn=accounts" > >>causes the lookup of group name to fail. After the removal of that account, > >>the > >>lookup succeeds. > >> > >>In looking at all group membership attributes of the group, it seems that > >>the > >>removal of a "member" of "cn=groups,cn=accounts" (which is done in the Web > >>GUI) > >>does not translate into the removal of "memberUid" of > >>"cn=groups,cn=accounts", > >>as well "memberUid" of "cn=groups,cn=compat". > >> > >I would guess that the rfc2307 memberuid attributes would be removed/not > >migrated and rfc2307bis member attributes would be used instead. But frankly, > >you might get a more qualified answer on the freeipa-users list: > >https://www.redhat.com/mailman/listinfo/freeipa-users > Our OpenLDAP server was using rfc2307, I guess when migrated, both rfc2307 > and rfc2307bis > were used for "cn=groups,cn=accounts", as both memberUid and member were > created. > For "cn=groups,cn=compat", only memberUid exist. > > When a test account is created and assigned to a group on IPA, for > "cn=groups,cn=accounts", > only rfc2307bis is used because only member is added for the assigned group. > Consistently for "cn=groups,cn=compat", only memberUid is added. > > Removing the test account DOES remove the member and memberUid entries for > that account. > > I think this is not a bug in IPA or SSSD, it is caused by migrating > nonexistent members of a group > that should not happen in the first place. Apologies...
No problem, we're glad you got your setup working! _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
