[Freeipa-devel] Question how memberof plugin works

Martin Basti mbasti at redhat.com
Mon Nov 3 09:58:48 UTC 2014 

On 31/10/14 18:05, Ludwig Krispenz wrote:
>
> On 10/31/2014 05:31 PM, Petr Vobornik wrote:
>> On 31.10.2014 16:54, Martin Basti wrote:
>>> Hello list,
>>>
>>> I ran upgrade (related steps listed in order):
>>>
>>> ipa-ldap-updater --upgrade
>>> - applying update files (including 55-pbacmemberof.update)
>>> - updating ACI (new permissions created, added to existing privilege)
>>> ipa-upgradeconfig
>>> - setting up new service (which uses privilege with new permission)
>>>
>>> At the end I was expecting, the privilege will missing the new
>>> permission (memberOf attribute), but I tested it in lab, and membership
>>> was OK.
>>>
>>> How the memberof plugin works?
>>
>> I know of 
>> http://directory.fedoraproject.org/docs/389ds/design/memberof-plugin.html 
>> If there is other source, I would like to see it as well.
> I don't know of another doc, but the mechanism of memberof is quit simple:
>
> In the plugin config you define one or more groupattr and a 
> memberofattr, eg
> |memberofgroupattr: member
> memberofgroupattr: uniqueMember
> memberofattr: memberOf
>
> then for any occurrence of the groupattr a value for the memberofattr in the referenced entry will be created, eg:
>
> ||dn: cn=group,dc=example
> member: cn=user,dc=example
>
> will trigger the addition of the memberofattr to the referenced entry cn=users
>
> dn: cn=user,dc=example
> objectclass: inetUser
> memberOf: cn=group,dc=example|
>
> This happens for any add/delete of a |memberofgroupattr or when the 
> memberof fixup task is run.
>
> You have to make sure that the entry which you expect the memberof has 
> an objectclass allowing the memberof attribute,
>
> |
>>
>>>
>>> We had similar issue with new DNS installation, where meberOf 
>>> attributes
>>> was missing, if DNS was installed later. But I cant reproduce this
>>> behavior during upgrade. (Fix was use 55-pbacmemberof.update as last
>>> step of bind service installation)
>>
>> Was fixed by a fixup task call in:
>>
>> https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=895f350ebf5f002a8ba5aff3d521640b12aa3cde 
>>
>>
>>>
>>> PS: we had a case where user had broken DNS privileges and
>>> 55-pbacmemberof.update helps. But he had multiple errors and it 
>>> could be
>>> cascade effect.
>>>
>
Thank you for explanation Ludwig.

-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141103/9d70da9d/attachment.htm>

More information about the Freeipa-devel mailing list