[Freeipa-devel] Question how memberof plugin works
Petr Vobornik
pvoborni at redhat.com
Fri Oct 31 16:31:03 UTC 2014
On 31.10.2014 16:54, Martin Basti wrote:
> Hello list,
>
> I ran upgrade (related steps listed in order):
>
> ipa-ldap-updater --upgrade
> - applying update files (including 55-pbacmemberof.update)
> - updating ACI (new permissions created, added to existing privilege)
> ipa-upgradeconfig
> - setting up new service (which uses privilege with new permission)
>
> At the end I was expecting, the privilege will missing the new
> permission (memberOf attribute), but I tested it in lab, and membership
> was OK.
>
> How the memberof plugin works?
I know of
http://directory.fedoraproject.org/docs/389ds/design/memberof-plugin.html If
there is other source, I would like to see it as well.
>
> We had similar issue with new DNS installation, where meberOf attributes
> was missing, if DNS was installed later. But I cant reproduce this
> behavior during upgrade. (Fix was use 55-pbacmemberof.update as last
> step of bind service installation)
Was fixed by a fixup task call in:
https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=895f350ebf5f002a8ba5aff3d521640b12aa3cde
>
> PS: we had a case where user had broken DNS privileges and
> 55-pbacmemberof.update helps. But he had multiple errors and it could be
> cascade effect.
>
--
Petr Vobornik
More information about the Freeipa-devel
mailing list