User life cycle "assigns" a status to user entries depending where
they are in the DIT.
'Active' user will be under 'cn=accounts,SUFFIX' while 'Stage' and
'Delete' users are somewhere under 'cn=provisioning,SUFFIX'.
Only 'Active' users have valid membership attributes: A Stage/Delete
user does not belong to any 'Active' group.
membership is managed by DS plugins, and particularly RI and memberof.
To automatically update membership attributes RI and memberof
implement a scoping, that update/add/remove membership attributes if
the group/user are Active.
The scoping is a single valued attribute.
It create failures in IPA tests if I restrict RI/memberof to
'cn=accounts,SUFFIX'. For example adding a host (under
'cn=accounts,SUFFIX) adds it to a network group that is under
A solution would be that the attribute that scopes the plugin is
multivalued. But then it would require a long list of values:
An other solution would be to exclude some parts of the DIT, here
limited to 'cn=provisionning,SUFFIX'. (prefered solution).
This is a similar issue with IPA UUID plugin that generates
ipaUniqueID for entries under 'cn=accounts' but also 'cn=alt' or
Freeipa-devel mailing list