Hello list,

I ran upgrade (related steps listed in order):

ipa-ldap-updater --upgrade
- applying update files (including 55-pbacmemberof.update)
- updating ACI (new permissions created, added to existing privilege)
- setting up new service (which uses privilege with new permission)

At the end I was expecting, the privilege will missing the new permission (memberOf attribute), but I tested it in lab, and membership was OK.

How the memberof plugin works?

We had similar issue with new DNS installation, where meberOf attributes was missing, if DNS was installed later. But I cant reproduce this behavior during upgrade. (Fix was use 55-pbacmemberof.update as last step of bind service installation)

PS: we had a case where user had broken DNS privileges and 55-pbacmemberof.update helps. But he had multiple errors and it could be cascade effect.

Martin Basti

Freeipa-devel mailing list

Reply via email to