[Freeipa-users] MemberOf plugin keeps disabling account

[James Roman]

Just for posterity. The issue ended up being that the AD and FreeIPA 
were out of sync. One of the sub-containers in the Active Directory 
containing disabled accounts was moved outside of the scope of the sync 
agreement. We never ran a replica init, so a number of scheduled syncs 
were pending.


On 03/17/2010 04:00 PM, James Roman wrote:
>
>> The memberof plugin does not change group memberships it only updates
>> the memberof attribute to keep it in sync with the member ones.
>>
>> Simo.
>>
> I made a mistake interpreting the audit log initially.  I realized 
> after I created the subject that the MemberOf changes reflect the 
> changes being made in the background to the individual record to 
> populate the memberOf attributes for the change I initiated. Since the 
> audit records don't actually say what the MemberOf plugins are 
> changing in the record (they only report updating the modifiersname), 
> I thought it was actually what was changing the group membership back.
>
> Something else was changing the group membership back (or rolling back 
> the initial change), but it is not being recorded in the audit logs.
>
> I still can't get my head around why the audit log reports both 
> plugins making changes to the record, even though the 389 MemberOf 
> plugin is disabled.
>
> time: 20100317111527
> dn: uid=afflicted.user,cn=users,cn=accounts,dc=domain,dc=com
> changetype: modify
> replace: modifiersName
> modifiersName: cn=ipa-memberof,cn=plugins,cn=config
> -
> replace: modifyTimestamp
> modifyTimestamp: 20100317151502Z
> -
>
> time: 20100317111529
> dn: uid=afflicted.user,cn=users,cn=accounts,dc=domain,dc=com
> changetype: modify
> replace: modifiersName
> modifiersName: cn=MemberOf Plugin,cn=plugins,cn=config
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users