[Freeipa-devel] memberOf wierdness

Pete Rowley prowley at redhat.com
Tue Oct 30 18:41:01 UTC 2007 

Simo Sorce wrote:
> On Tue, 2007-10-30 at 11:58 -0400, Rob Crittenden wrote:
>   
>> Simo Sorce wrote:
>>     
>>> On Tue, 2007-10-30 at 11:38 -0400, Rob Crittenden wrote:
>>>       
>>>> In my experimentation with new indeces I found a strange issue with 
>>>> memberOf.
>>>>
>>>> If I install IPA, get a ticket for admin and do:
>>>>
>>>> ldapsearch -Y GSSAPI -b "dc=freeipa,dc=org" 
>>>> "memberof=cn=admins,cn=groups,cn=accounts,dc=freeipa,dc=org" cn
>>>>
>>>> I get 0 results back.
>>>>
>>>> If I use ipa-adduser and then add that user to the admins group and then 
>>>> issue the search again, I get 1 result back, the user I just added.
>>>>
>>>> The user admin has the following OC's:
>>>>
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: posixAccount
>>>> objectClass: KrbPrincipalAux
>>>>
>>>> My test user has:
>>>>
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: inetOrgPerson
>>>> objectClass: inetUser
>>>> objectClass: posixAccount
>>>> objectClass: krbPrincipalAux
>>>>
>>>> Could this have something to do with it?
>>>>         
>>> No the problem is not with indices.
>>> The problem is that we activate the memberOf plugin "after" the admin
>>> account has been created.
>>>
>>> I asked back then Pete to show us how to activate the FDS task to make
>>> the memberOf plugin check the directory, but that must have been
>>> forgotten, I'll open a ticket and assign to Pete.
>>>
>>>       
>> No, the index is added first. The last thing that happens in 
>> dsinstance.py is a call to __add_default_layout() which loads 
>> bootstrap-template.ldif.
>>     
>
> Ah I see that changed after the last time I looked at that.
> Do you have the memberOf attribute on the admin entry?
>
> Uhmm now that I look at it I wonder if we should use 'account' instead
> of 'person' for admin ...
>
> Pete,
> why do we use groupOfUniqueNames and uniqueMember instead of
> groupOfNames/member in the memberOf plugin? (and therefore in our
> entries ?)
>
>   
Because RFC2307bis recommends that as a MAY.
> It seem that groupOfUniqueNames is a particularly hated objectClass
> generally, because uniqueMember syntax is not distinguishedName.
>
>   
There are some very vocal haters of that objectclass.
> I'd prefer to use groupOfNames/member unless there is a problem doing
> that, can you comment please?
>
>   
Fine with me.

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/83c5c2fc/attachment.bin>

More information about the Freeipa-devel mailing list