[Freeipa-devel] [RFE] Support for automember rebuild membership
Martin Kosek
mkosek at redhat.com
Wed Sep 18 14:26:59 UTC 2013
On 09/18/2013 01:37 PM, Ana Krivokapic wrote:
> On 09/13/2013 10:48 AM, Martin Kosek wrote:
>> On 09/12/2013 07:59 PM, Ana Krivokapic wrote:
...
>>
>> I would rather add an option --dry-run or --test for all new automember
>> commands which would return how would the updated entry look like. BTW, did the
>> automember export updates task work for you? I tried this LDIF and
>> /tmp/automember.ldif was empty:
>>
>> dn: cn=my export task 1, cn=automember export updates,cn=tasks,cn=config
>> changetype: add
>> objectClass: top
>> objectClass: extensibleObject
>> cn: my export task 1
>> basedn: cn=accounts,dc=example,dc=com
>> filter: (uid=*)
>> scope: sub
>> ldif: /tmp/automember.ldif
>>
>> Adding Mark to CC in case if he has any advise for utilizing the export task in
>> FreeIPA.
>>
>> By the way, using this approach I think we would also hit issues with
>> permissions on the resulting LDIF, given it is created by DS and would be read
>> by Apache. SELinux would be complaining as well. To sum it up, I am not sure
>> this will be that easy and straightforward.
>
> You are right about this. I haven't been able to find a way to make this work.
> Namely, the resulting LDIF is created by dirsrv user and is not readable by
> apache user. Any ideas/pointers here would be very much appreciated.
Right. I would try asking 389-ds guys, Mark, Nathan (CCed) or Rich about that.
If we do not find a better way to transfer the resulting LDIF to Apache, we
will need to leave the --dry-run part until we do.
Martin
More information about the Freeipa-devel
mailing list