[Freeipa-users] MemberOf plugin keeps disabling account
Simo Sorce
ssorce at redhat.com
Wed Mar 17 19:05:09 UTC 2010
On Wed, 17 Mar 2010 14:01:47 -0400
James Roman <james.roman at ssaihq.com> wrote:
>
> > Well, the current 389 memberOf is a bit more advanced than the
> > ipa-memberOf. We did the initial development of the plugin, then it
> > got moved into mainline 389-ds. The ipa plugin should work fine
> > though, I don't know of any reason to switch.
> >
> > rob
> Any idea why both are being executed? Even when the MemberOf Plugin
> is disabled?
>
> # ipa-memberof, plugins, config
> dn: cn=ipa-memberof,cn=plugins,cn=config
> ......
> nsslapd-pluginEnabled: on
>
>
> # MemberOf Plugin, plugins, config
> dn: cn=MemberOf Plugin,cn=plugins,cn=config
> ......
> nsslapd-pluginEnabled: off
>
> Is it possible that the DS upgrade steps on the ipa-memberof
> libraries in some way, causing both to be executed? I would imagine
> that having two plugins making the same update to the directory could
> be problematic. Maybe its the way the audit logging is occurring.
To actually disable the plugin you need a restart after you change the
config, but please *do not* do that unless you want trouble :)
The memberof plugin does not change group memberships it only updates
the memberof attribute to keep it in sync with the member ones.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list