User life cycle "assigns" a status to user entries depending where
   they are in the DIT.
   'Active' user will be under 'cn=accounts,SUFFIX' while 'Stage' and
   'Delete' users are somewhere under 'cn=provisioning,SUFFIX'.

   Only 'Active' users have valid membership attributes: A Stage/Delete
   user does not belong to any 'Active' group.
   membership is managed by DS plugins, and particularly RI and memberof.
   To automatically update membership attributes RI and memberof
   implement a scoping, that update/add/remove membership attributes if
   the group/user are Active.

   The scoping is a single valued attribute.

   It create failures in IPA tests if I restrict RI/memberof to
   'cn=accounts,SUFFIX'. For example adding a host (under
   'cn=accounts,SUFFIX) adds it to a network group that is under
   A solution would be that the attribute that scopes the plugin is
   multivalued. But then it would require a long list of values:

       cn=accounts, SUFFIX

   An other solution would be to exclude some parts of the DIT, here
   limited to 'cn=provisionning,SUFFIX'. (prefered solution).

   This is a similar issue with IPA UUID plugin that generates
   ipaUniqueID for entries under 'cn=accounts' but also 'cn=alt' or


Freeipa-devel mailing list

Reply via email to