[Freeipa-devel] memberOf wierdness
Simo Sorce
ssorce at redhat.com
Tue Oct 30 16:18:01 UTC 2007
On Tue, 2007-10-30 at 11:58 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Tue, 2007-10-30 at 11:38 -0400, Rob Crittenden wrote:
> >> In my experimentation with new indeces I found a strange issue with
> >> memberOf.
> >>
> >> If I install IPA, get a ticket for admin and do:
> >>
> >> ldapsearch -Y GSSAPI -b "dc=freeipa,dc=org"
> >> "memberof=cn=admins,cn=groups,cn=accounts,dc=freeipa,dc=org" cn
> >>
> >> I get 0 results back.
> >>
> >> If I use ipa-adduser and then add that user to the admins group and then
> >> issue the search again, I get 1 result back, the user I just added.
> >>
> >> The user admin has the following OC's:
> >>
> >> objectClass: top
> >> objectClass: person
> >> objectClass: posixAccount
> >> objectClass: KrbPrincipalAux
> >>
> >> My test user has:
> >>
> >> objectClass: top
> >> objectClass: person
> >> objectClass: organizationalPerson
> >> objectClass: inetOrgPerson
> >> objectClass: inetUser
> >> objectClass: posixAccount
> >> objectClass: krbPrincipalAux
> >>
> >> Could this have something to do with it?
> >
> > No the problem is not with indices.
> > The problem is that we activate the memberOf plugin "after" the admin
> > account has been created.
> >
> > I asked back then Pete to show us how to activate the FDS task to make
> > the memberOf plugin check the directory, but that must have been
> > forgotten, I'll open a ticket and assign to Pete.
> >
>
> No, the index is added first. The last thing that happens in
> dsinstance.py is a call to __add_default_layout() which loads
> bootstrap-template.ldif.
Ah I see that changed after the last time I looked at that.
Do you have the memberOf attribute on the admin entry?
Uhmm now that I look at it I wonder if we should use 'account' instead
of 'person' for admin ...
Pete,
why do we use groupOfUniqueNames and uniqueMember instead of
groupOfNames/member in the memberOf plugin? (and therefore in our
entries ?)
It seem that groupOfUniqueNames is a particularly hated objectClass
generally, because uniqueMember syntax is not distinguishedName.
I'd prefer to use groupOfNames/member unless there is a problem doing
that, can you comment please?
Simo.
Simo.
More information about the Freeipa-devel
mailing list