James Roman wrote:
Just for posterity. The issue ended up being that the AD and FreeIPA
were out of sync. One of the sub-containers in the Active Directory
containing disabled accounts was moved outside of the scope of the sync
agreement. We never ran a replica init, so a number of scheduled sy
Just for posterity. The issue ended up being that the AD and FreeIPA
were out of sync. One of the sub-containers in the Active Directory
containing disabled accounts was moved outside of the scope of the sync
agreement. We never ran a replica init, so a number of scheduled syncs
were pending.
The memberof plugin does not change group memberships it only updates
the memberof attribute to keep it in sync with the member ones.
Simo.
I made a mistake interpreting the audit log initially. I realized after
I created the subject that the MemberOf changes reflect the changes
being m
On Wed, 17 Mar 2010 15:24:18 -0400
James Roman wrote:
>
> > To actually disable the plugin you need a restart after you change
> > the config, but please *do not* do that unless you want trouble :)
> >
> > The memberof plugin does not change group memberships it only
> > updates the memberof att
To actually disable the plugin you need a restart after you change the
config, but please *do not* do that unless you want trouble :)
The memberof plugin does not change group memberships it only updates
the memberof attribute to keep it in sync with the member ones.
Simo.
Just to clarify
On Wed, 17 Mar 2010 14:01:47 -0400
James Roman wrote:
>
> > Well, the current 389 memberOf is a bit more advanced than the
> > ipa-memberOf. We did the initial development of the plugin, then it
> > got moved into mainline 389-ds. The ipa plugin should work fine
> > though, I don't know of an
Well, the current 389 memberOf is a bit more advanced than the
ipa-memberOf. We did the initial development of the plugin, then it
got moved into mainline 389-ds. The ipa plugin should work fine
though, I don't know of any reason to switch.
rob
Any idea why both are being executed? Even when
OK. I Think I've got this licked. I had to manually activate the account
on both the Active Directory and the FreeIPA server. I think what was
happening was this:
1. Admin activates the account on IPA server (moves cn=inactivated to
cn-activated)
2. IPA server schedules windows sync
James Roman wrote:
I have a single account that keeps getting disabled by the memberOf
Plugin, even though it is disabled.
[ SNIP ]
Am I missing something? What do I need to do to get the MemeberOf plugin
from stepping on our changes? We have FreeIPA 1.2.2 and 389-DS 1.2.5 on
FC11.
I don'
