Just for posterity. The issue ended up being that the AD and FreeIPA
were out of sync. One of the sub-containers in the Active Directory
containing disabled accounts was moved outside of the scope of the sync
agreement. We never ran a replica init, so a number of scheduled syncs
were pending.
On 03/17/2010 04:00 PM, James Roman wrote:
The memberof plugin does not change group memberships it only updates
the memberof attribute to keep it in sync with the member ones.
Simo.
I made a mistake interpreting the audit log initially. I realized
after I created the subject that the MemberOf changes reflect the
changes being made in the background to the individual record to
populate the memberOf attributes for the change I initiated. Since the
audit records don't actually say what the MemberOf plugins are
changing in the record (they only report updating the modifiersname),
I thought it was actually what was changing the group membership back.
Something else was changing the group membership back (or rolling back
the initial change), but it is not being recorded in the audit logs.
I still can't get my head around why the audit log reports both
plugins making changes to the record, even though the 389 MemberOf
plugin is disabled.
time: 20100317111527
dn: uid=afflicted.user,cn=users,cn=accounts,dc=domain,dc=com
changetype: modify
replace: modifiersName
modifiersName: cn=ipa-memberof,cn=plugins,cn=config
-
replace: modifyTimestamp
modifyTimestamp: 20100317151502Z
-
time: 20100317111529
dn: uid=afflicted.user,cn=users,cn=accounts,dc=domain,dc=com
changetype: modify
replace: modifiersName
modifiersName: cn=MemberOf Plugin,cn=plugins,cn=config
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
