<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Times New Roman, Times, serif">Hello,<br>
<br>
</font>
<blockquote><font face="Times New Roman, Times, serif">User life
cycle "assigns" a status to user entries depending where they
are in the DIT.<br>
'Active' user will be under 'cn=accounts,SUFFIX' while 'Stage'
and 'Delete' users are somewhere under 'cn=provisioning,SUFFIX'.<br>
<br>
Only 'Active' users have valid membership attributes: A Stage/Delete
user does not belong to any 'Active' group.<br>
membership is managed by DS plugins, and particularly RI and
memberof.<br>
To automatically update membership attributes RI and memberof
implement a scoping, that update/add/remove membership
attributes if the group/user are Active.<br>
<br>
The scoping is a single valued attribute. <br>
<br>
It create failures in IPA tests if I restrict RI/memberof to
'cn=accounts,SUFFIX'. For example adding a host (under
'cn=accounts,SUFFIX) adds it to a network group that is under
'cn=alt,SUFFIX'. <br>
A solution would be that the attribute that scopes the plugin is
multivalued. But then it would require a long list of values:<br>
</font>
<blockquote><font face="Times New Roman, Times, serif">cn=pbac,SUFFIX</font><br>
<font face="Times New Roman, Times, serif">cn=hbac,SUFFX</font><br>
<font face="Times New Roman, Times, serif">cn=alt,SUFFIX</font><br>
<font face="Times New Roman, Times, serif">cn=accounts, SUFFIX</font><br>
...<br>
</blockquote>
<font face="Times New Roman, Times, serif"><br>
An other solution would be to exclude some parts of the DIT,
here limited to 'cn=provisionning,SUFFIX'. (prefered solution).<br>
<br>
<br>
This is a similar issue with IPA UUID plugin that generates
ipaUniqueID for entries under 'cn=accounts' but also 'cn=alt' or
'cn=hbac'.<br>
<br>
regards<br>
thierry<br>
<br>
</font></blockquote>
</body>
</html>