A few months ago, using IPA 4.8.7, I imported users and groups from OpenLDAP:
ipa -v migrate-ds --with-compat \ --bind-dn="cn=Manager,dc=example,dc=com" \ --user-container="ou=People,dc=example,dc=com" \ --user-objectclass="posixAccount" \ --group-container="ou=Group,dc=example,dc=com" \ --group-objectclass="posixGroup" \ --group-overwrite-gid \ --schema=RFC2307 \ ldap://openldap-server:389
Now, I've found a problem...
In addition to the expected "member" attribute list on the group dn, I also have a memberUid attribute list. These memberUid attributes are not created when using IPA to assign users to groups, just during my import.
An imported user:
dn: cn=wahoo,cn=groups,cn=accounts,dc=example,dc=com member: uid=fred,cn=users,cn=accounts,dc=example,dc=com memberUid: fred
dn: cn=wahoo,cn=groups,cn=compat,dc=example,dc=com memberUid: fred
So, no harm done yet. Then I remove fred from the group wahoo. And I end up with this:
dn: cn=wahoo,cn=groups,cn=accounts,dc=example,dc=com memberUid: fred
dn: cn=wahoo,cn=groups,cn=compat,dc=example,dc=com memberUid: fred
Now, anything pointing to my compat tree, still thinks fred is in the wahoo group.
The solution is removing the memberUids from the cn=groups,cn=accounts,dc=example,dc=com tree, and the compat tree automatically reflects that change.
Question: Is this a bug or did I do something wrong on the import?
Thanks, Scott
PS- If someone else runs into this, I hope I saved you time.
Scott Serr via FreeIPA-users wrote:
A few months ago, using IPA 4.8.7, I imported users and groups from OpenLDAP:
ipa -v migrate-ds --with-compat \ --bind-dn="cn=Manager,dc=example,dc=com" \ --user-container="ou=People,dc=example,dc=com" \ --user-objectclass="posixAccount" \ --group-container="ou=Group,dc=example,dc=com" \ --group-objectclass="posixGroup" \ --group-overwrite-gid \ --schema=RFC2307 \ ldap://openldap-server:389
Now, I've found a problem...
In addition to the expected "member" attribute list on the group dn, I also have a memberUid attribute list. These memberUid attributes are not created when using IPA to assign users to groups, just during my import.
An imported user:
dn: cn=wahoo,cn=groups,cn=accounts,dc=example,dc=com member: uid=fred,cn=users,cn=accounts,dc=example,dc=com memberUid: fred
dn: cn=wahoo,cn=groups,cn=compat,dc=example,dc=com memberUid: fred
So, no harm done yet. Then I remove fred from the group wahoo. And I end up with this:
dn: cn=wahoo,cn=groups,cn=accounts,dc=example,dc=com memberUid: fred
dn: cn=wahoo,cn=groups,cn=compat,dc=example,dc=com memberUid: fred
Now, anything pointing to my compat tree, still thinks fred is in the wahoo group.
The solution is removing the memberUids from the cn=groups,cn=accounts,dc=example,dc=com tree, and the compat tree automatically reflects that change.
Question: Is this a bug or did I do something wrong on the import?
It seems that the memberuid are converted into member but then the attribute isn't dropped. If you pass in --group-ignore-attribute=memberuid that will probably do it as the conversion happens before the attribute is dropped.
rob
freeipa-users@lists.fedorahosted.org