Hello, User life cycle "assigns" a status to user entries depending where they are in the DIT. 'Active' user will be under 'cn=accounts,SUFFIX' while 'Stage' and 'Delete' users are somewhere under 'cn=provisioning,SUFFIX'.
Only 'Active' users have valid membership attributes: A Stage/Delete user does not belong to any 'Active' group. membership is managed by DS plugins, and particularly RI and memberof. To automatically update membership attributes RI and memberof implement a scoping, that update/add/remove membership attributes if the group/user are Active. The scoping is a single valued attribute. It create failures in IPA tests if I restrict RI/memberof to 'cn=accounts,SUFFIX'. For example adding a host (under 'cn=accounts,SUFFIX) adds it to a network group that is under 'cn=alt,SUFFIX'. A solution would be that the attribute that scopes the plugin is multivalued. But then it would require a long list of values: cn=pbac,SUFFIX cn=hbac,SUFFX cn=alt,SUFFIX cn=accounts, SUFFIX ... An other solution would be to exclude some parts of the DIT, here limited to 'cn=provisionning,SUFFIX'. (prefered solution). This is a similar issue with IPA UUID plugin that generates ipaUniqueID for entries under 'cn=accounts' but also 'cn=alt' or 'cn=hbac'. regards thierry
_______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel