On Wed, Apr 24, 2013 at 10:50:34AM -0400, Qing Chang wrote:
On 23/04/2013 4:42 AM, Jakub Hrozek wrote:
>On Mon, Apr 22, 2013 at 09:59:53AM -0400, Qing Chang wrote:
>>just for the record. This is considered solved.
>>
>>When migrated from OpenLDAP to IPA, inactive user accounts were left out, but
>>some of the accounts were still in place as secondary group members of a certain
>>group (mri as example). Nonexistent "member" in
"cn=groups,cn=accounts"
>>causes the lookup of group name to fail. After the removal of that account, the
>>lookup succeeds.
>>
>>In looking at all group membership attributes of the group, it seems that the
>>removal of a "member" of "cn=groups,cn=accounts" (which is
done in the Web GUI)
>>does not translate into the removal of "memberUid" of
"cn=groups,cn=accounts",
>>as well "memberUid" of "cn=groups,cn=compat".
>>
>I would guess that the rfc2307 memberuid attributes would be removed/not
>migrated and rfc2307bis member attributes would be used instead. But frankly,
>you might get a more qualified answer on the freeipa-users list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
Our OpenLDAP server was using rfc2307, I guess when migrated, both rfc2307 and
rfc2307bis
were used for "cn=groups,cn=accounts", as both memberUid and member were
created.
For "cn=groups,cn=compat", only memberUid exist.
When a test account is created and assigned to a group on IPA, for
"cn=groups,cn=accounts",
only rfc2307bis is used because only member is added for the assigned group.
Consistently for "cn=groups,cn=compat", only memberUid is added.
Removing the test account DOES remove the member and memberUid entries for that account.
I think this is not a bug in IPA or SSSD, it is caused by migrating nonexistent members
of a group
that should not happen in the first place. Apologies...
No problem, we're glad you got your setup working!