Re: [Freeipa-users] MemberOf plugin keeps disabling account
Just for posterity. The issue ended up being that the AD and FreeIPA were out of sync. One of the sub-containers in the Active Directory containing disabled accounts was moved outside of the scope of the sync agreement. We never ran a replica init, so a number of scheduled syncs were pending. On 03/17/2010 04:00 PM, James Roman wrote: The memberof plugin does not change group memberships it only updates the memberof attribute to keep it in sync with the member ones. Simo. I made a mistake interpreting the audit log initially. I realized after I created the subject that the MemberOf changes reflect the changes being made in the background to the individual record to populate the memberOf attributes for the change I initiated. Since the audit records don't actually say what the MemberOf plugins are changing in the record (they only report updating the modifiersname), I thought it was actually what was changing the group membership back. Something else was changing the group membership back (or rolling back the initial change), but it is not being recorded in the audit logs. I still can't get my head around why the audit log reports both plugins making changes to the record, even though the 389 MemberOf plugin is disabled. time: 20100317111527 dn: uid=afflicted.user,cn=users,cn=accounts,dc=domain,dc=com changetype: modify replace: modifiersName modifiersName: cn=ipa-memberof,cn=plugins,cn=config - replace: modifyTimestamp modifyTimestamp: 20100317151502Z - time: 20100317111529 dn: uid=afflicted.user,cn=users,cn=accounts,dc=domain,dc=com changetype: modify replace: modifiersName modifiersName: cn=MemberOf Plugin,cn=plugins,cn=config ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin keeps disabling account
James Roman wrote: Just for posterity. The issue ended up being that the AD and FreeIPA were out of sync. One of the sub-containers in the Active Directory containing disabled accounts was moved outside of the scope of the sync agreement. We never ran a replica init, so a number of scheduled syncs were pending. Glad you figured it out. Thanks for closing the loop :-) cheers rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin keeps disabling account
Well, the current 389 memberOf is a bit more advanced than the ipa-memberOf. We did the initial development of the plugin, then it got moved into mainline 389-ds. The ipa plugin should work fine though, I don't know of any reason to switch. rob Any idea why both are being executed? Even when the MemberOf Plugin is disabled? # ipa-memberof, plugins, config dn: cn=ipa-memberof,cn=plugins,cn=config .. nsslapd-pluginEnabled: on # MemberOf Plugin, plugins, config dn: cn=MemberOf Plugin,cn=plugins,cn=config .. nsslapd-pluginEnabled: off Is it possible that the DS upgrade steps on the ipa-memberof libraries in some way, causing both to be executed? I would imagine that having two plugins making the same update to the directory could be problematic. Maybe its the way the audit logging is occurring. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin keeps disabling account
To actually disable the plugin you need a restart after you change the config, but please *do not* do that unless you want trouble :) The memberof plugin does not change group memberships it only updates the memberof attribute to keep it in sync with the member ones. Simo. Just to clarify, we never disabled the 389 MemberOf plugin. My original ldif dump after the upgrade to 1.2.5 had the 389 DS memberOf plugin disabled. So it never was enabled. This probably meant little to us from a functional standpoint because we already had the FreeIPA ipa_memberof plugin installed and enabled. Do I need both of them enabled? Or will that cause additional misery? Of the two, ipa-memberof and 389's memberOf plugin, which should I enable? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin keeps disabling account
On Wed, 17 Mar 2010 15:24:18 -0400 James Roman james.ro...@ssaihq.com wrote: To actually disable the plugin you need a restart after you change the config, but please *do not* do that unless you want trouble :) The memberof plugin does not change group memberships it only updates the memberof attribute to keep it in sync with the member ones. Simo. Just to clarify, we never disabled the 389 MemberOf plugin. My original ldif dump after the upgrade to 1.2.5 had the 389 DS memberOf plugin disabled. So it never was enabled. This probably meant little to us from a functional standpoint because we already had the FreeIPA ipa_memberof plugin installed and enabled. Do I need both of them enabled? Or will that cause additional misery? Of the two, ipa-memberof and 389's memberOf plugin, which should I enable? Oh sorry, no I misunderstood. You can't have both enabled they would interfere, only one or the other. The 389 memberof plugin is probably better now, as we merge all the code we developed for ipa in there. But unless you have specific problems you can just leave it as it is. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users