And after a bit more hacking around, I seem to have hit on the answer.
For one thing, the way I wrote it wouldn't work because the
dn_container would have been wrong anyway (previously it worked
because users are in the same container as other users, but in this
case it would fail since the object's container is that of a host).
Some of the values here are hard coded now, which is probably not good
practice, but as this is my plugin for my environment I'm going to
give myself a break on it.

I still need to write an error handler in the case of a user account
being deleted and a host "owned" by that user still exists, so that
one doesn't have to go to LDAP to deal with the entry, but compared to
the amount of iterations this took, that should be easy :D

For those interested:

Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |    ICBM Address: 40.346344   -74.652242
    345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
    (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to