Hi Guys,
I try to get the automembership plugin configured and running in the right way, but it still causes some headaches.
I'm running CentOS 6.7 and the following 389 packages:
389-ds-base-1.2.11.15-69.el6_7.x86_64 389-ds-base-libs-1.2.11.15-69.el6_7.x86_64
I followed the guide at
http://directory.fedoraproject.org/docs/389ds/design/automember-design.html
and created a group, where the members should be automatically added:
dn: cn=users,ou=app,ou=groups,dc=example,dc=com description: users group objectClass: top objectClass: groupofnames cn: users
And the corresponding auto membership plugin entry:
dn: cn=users,cn=Auto Membership Plugin,cn=plugins,cn=config cn: users objectclass: top objectclass: autoMemberDefinition autoMemberScope: dc=example,dc=com autoMemberFilter: Team=ops autoMemberDefaultGroup: cn=users,ou=app,ou=groups,dc=example,dc=com autoMemberGroupingAttr: member:dn
After that, I added a user who got the Team attribute (own schema extension) set to 'ops'
dn: uid=foo,ou=people,dc=example,dc=com objectClass: top objectClass: posixAccount objectClass: organizationalPerson objectClass: inetorgPerson objectClass: person objectClass: shadowAccount objectClass: ldapPublicKey objectClass: bopsUser objectClass: inetuser uid: foo uidNumber: 2222 gidNumber: 2222 homeDirectory: /home/foo loginShell: /bin/bash cn: foo bar givenName: foo sn: bar gecos: foo bar mail: foo.bar@example.com Team: ops
A ldapsearch for the groups member attribute shows the user's dn being added automatically:
# users, app, groups, bildops.de dn: cn=users,ou=app,ou=groups,dc=example,dc=com member: uid=foo,ou=people,dc=example,dc=com
When the user entry is removed, the membership also disappears. But whenever I just changed the Team attribute of an existing user, the membership did not change.
I found a page describing a rebuild task implemented in the plugin at:
https://fedorahosted.org/389/ticket/20
It worked for me for any existing users, who got the Team attribute set to 'ops'. The task finds them and puts their dn into the group.
But the opposite way did not work: I changed the Team's value from 'ops' to 'none' and started the task, but the user's dn is still a member of the group.
Is this the expected behavior?
thank you very much,
cheers, Frank
On 03/04/2016 08:59 AM, Frank Munsche wrote:
Hi Guys,
I try to get the automembership plugin configured and running in the right way, but it still causes some headaches.
I'm running CentOS 6.7 and the following 389 packages:
389-ds-base-1.2.11.15-69.el6_7.x86_64 389-ds-base-libs-1.2.11.15-69.el6_7.x86_64
I followed the guide at
http://directory.fedoraproject.org/docs/389ds/design/automember-design.html
and created a group, where the members should be automatically added:
dn: cn=users,ou=app,ou=groups,dc=example,dc=com description: users group objectClass: top objectClass: groupofnames cn: users
And the corresponding auto membership plugin entry:
dn: cn=users,cn=Auto Membership Plugin,cn=plugins,cn=config cn: users objectclass: top objectclass: autoMemberDefinition autoMemberScope: dc=example,dc=com autoMemberFilter: Team=ops autoMemberDefaultGroup: cn=users,ou=app,ou=groups,dc=example,dc=com autoMemberGroupingAttr: member:dn
After that, I added a user who got the Team attribute (own schema extension) set to 'ops'
dn: uid=foo,ou=people,dc=example,dc=com objectClass: top objectClass: posixAccount objectClass: organizationalPerson objectClass: inetorgPerson objectClass: person objectClass: shadowAccount objectClass: ldapPublicKey objectClass: bopsUser objectClass: inetuser uid: foo uidNumber: 2222 gidNumber: 2222 homeDirectory: /home/foo loginShell: /bin/bash cn: foo bar givenName: foo sn: bar gecos: foo bar mail: foo.bar@example.com Team: ops
A ldapsearch for the groups member attribute shows the user's dn being added automatically:
# users, app, groups, bildops.de dn: cn=users,ou=app,ou=groups,dc=example,dc=com member: uid=foo,ou=people,dc=example,dc=com
When the user entry is removed, the membership also disappears. But whenever I just changed the Team attribute of an existing user, the membership did not change.
I found a page describing a rebuild task implemented in the plugin at:
https://fedorahosted.org/389/ticket/20
It worked for me for any existing users, who got the Team attribute set to 'ops'. The task finds them and puts their dn into the group.
But the opposite way did not work: I changed the Team's value from 'ops' to 'none' and started the task, but the user's dn is still a member of the group.
Is this the expected behavior?
Yes. The task does not correct existing memberships, it only looks for entries that need to be added to groups based on the current auto-membership configuration. Currently, it has no way to know old configuration values, or how to clean them up. Basically it can only move forward, not backwards.
Mark
thank you very much,
cheers, Frank
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
Hi Mark,
thanks for the quick reply. -)
cheers, Frank
On Friday, March 04, 2016 11:16:46 AM Mark Reynolds wrote:
On 03/04/2016 08:59 AM, Frank Munsche wrote:
Hi Guys,
I try to get the automembership plugin configured and running in the right way, but it still causes some headaches.
I'm running CentOS 6.7 and the following 389 packages:
389-ds-base-1.2.11.15-69.el6_7.x86_64 389-ds-base-libs-1.2.11.15-69.el6_7.x86_64
I followed the guide at
http://directory.fedoraproject.org/docs/389ds/design/automember-design.htm l
and created a group, where the members should be automatically added:
dn: cn=users,ou=app,ou=groups,dc=example,dc=com description: users group objectClass: top objectClass: groupofnames cn: users
And the corresponding auto membership plugin entry:
dn: cn=users,cn=Auto Membership Plugin,cn=plugins,cn=config cn: users objectclass: top objectclass: autoMemberDefinition autoMemberScope: dc=example,dc=com autoMemberFilter: Team=ops autoMemberDefaultGroup: cn=users,ou=app,ou=groups,dc=example,dc=com autoMemberGroupingAttr: member:dn
After that, I added a user who got the Team attribute (own schema extension) set to 'ops'
dn: uid=foo,ou=people,dc=example,dc=com objectClass: top objectClass: posixAccount objectClass: organizationalPerson objectClass: inetorgPerson objectClass: person objectClass: shadowAccount objectClass: ldapPublicKey objectClass: bopsUser objectClass: inetuser uid: foo uidNumber: 2222 gidNumber: 2222 homeDirectory: /home/foo loginShell: /bin/bash cn: foo bar givenName: foo sn: bar gecos: foo bar mail: foo.bar@example.com Team: ops
A ldapsearch for the groups member attribute shows the user's dn being added automatically:
# users, app, groups, bildops.de dn: cn=users,ou=app,ou=groups,dc=example,dc=com member: uid=foo,ou=people,dc=example,dc=com
When the user entry is removed, the membership also disappears. But whenever I just changed the Team attribute of an existing user, the membership did not change.
I found a page describing a rebuild task implemented in the plugin at:
https://fedorahosted.org/389/ticket/20
It worked for me for any existing users, who got the Team attribute set to 'ops'. The task finds them and puts their dn into the group.
But the opposite way did not work: I changed the Team's value from 'ops' to 'none' and started the task, but the user's dn is still a member of the group.
Is this the expected behavior?
Yes. The task does not correct existing memberships, it only looks for entries that need to be added to groups based on the current auto-membership configuration. Currently, it has no way to know old configuration values, or how to clean them up. Basically it can only move forward, not backwards.
Mark
thank you very much,
cheers, Frank
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.o rg
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
389-users@lists.fedoraproject.org