[Freeipa-users] Freeipa-users Digest, Vol 97, Issue 97
siology.io
siology.io at gmail.com
Wed Aug 24 02:07:38 UTC 2016
>
>
> Date: Tue, 23 Aug 2016 10:20:32 -0400
> From: Rob Crittenden <rcritten at redhat.com>
> To: "siology.io" <siology.io at gmail.com>, freeipa-users
> <freeipa-users at redhat.com>
> Subject: Re: [Freeipa-users] private user groups for existing users
> Message-ID: <57BC5BB0.7090009 at redhat.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> siology.io wrote:
> > i've noticed that some of my users (imported from openldap) don't have
> > personal user groups, but the new ones that i make within freeipa do.
> >
> > Is there a way of marking the existing accounts such that they get user
> > groups made for them ? I couldn't seem to see the groups that IPA is
> > making in the LDAP output so it must be creating them via some other
> means.
> >
> > Is there some sort of 'ipa user create-private-group <userA>' command ?
> >
> > The only work around i have is to make hundreds of fake private groups
> > by making normal user groups each with one user, which'll clutter the UI
> > up with pointless groups.
>
> Yeah, there is a ticket open to allow UPG creation in migration but as
> you see, it isn't done yet.
>
> There is no documented way to do it but it should be possible with
> ldapmodify. I forget the exact ordering but I'd probably do the group
> first, then the user. In theory you can convert a group to be managed by
> adding:
>
> objectclass: mepmanagedentry
> mepmanagedby: uid=<user>,cn=users,cn=accounts,$SUFFIX
>
> And removing:
>
> objectclass: groupofnames
> objectclass: nestedgroup
>
> You also need to update the user with:
>
> objectclass: meporiginentry
> mepmanagedentry: cn=<user>,cn=groups,cn=accounts,$SUFFIX
>
> Just don't do this with any groups that have members.
>
> Definitely worth experimenting on a non-production installation.
>
> rob
>
I'm not too hot with ldapmodify at all. So far i've got:
http://pastebin.com/MDE1SN0F but i dont think that's working for me.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160824/47b9f2af/attachment.htm>
More information about the Freeipa-users
mailing list