On 03/04/2016 08:59 AM, Frank Munsche wrote:
Hi Guys,
I try to get the automembership plugin configured and running in the right way,
but it still causes some headaches.
I'm running CentOS 6.7 and the following 389 packages:
389-ds-base-1.2.11.15-69.el6_7.x86_64
389-ds-base-libs-1.2.11.15-69.el6_7.x86_64
I followed the guide at
http://directory.fedoraproject.org/docs/389ds/design/automember-design.html
and created a group, where the members should be automatically added:
dn: cn=users,ou=app,ou=groups,dc=example,dc=com
description: users group
objectClass: top
objectClass: groupofnames
cn: users
And the corresponding auto membership plugin entry:
dn: cn=users,cn=Auto Membership Plugin,cn=plugins,cn=config
cn: users
objectclass: top
objectclass: autoMemberDefinition
autoMemberScope: dc=example,dc=com
autoMemberFilter: Team=ops
autoMemberDefaultGroup: cn=users,ou=app,ou=groups,dc=example,dc=com
autoMemberGroupingAttr: member:dn
After that, I added a user who got the Team attribute (own schema extension)
set to 'ops'
dn: uid=foo,ou=people,dc=example,dc=com
objectClass: top
objectClass: posixAccount
objectClass: organizationalPerson
objectClass: inetorgPerson
objectClass: person
objectClass: shadowAccount
objectClass: ldapPublicKey
objectClass: bopsUser
objectClass: inetuser
uid: foo
uidNumber: 2222
gidNumber: 2222
homeDirectory: /home/foo
loginShell: /bin/bash
cn: foo bar
givenName: foo
sn: bar
gecos: foo bar
mail: foo.bar@xxxxxxxxxxx
Team: ops
A ldapsearch for the groups member attribute shows the user's dn being added
automatically:
# users, app, groups, bildops.de
dn: cn=users,ou=app,ou=groups,dc=example,dc=com
member: uid=foo,ou=people,dc=example,dc=com
When the user entry is removed, the membership also disappears.
But whenever I just changed the Team attribute of an existing user, the
membership did not change.
I found a page describing a rebuild task implemented in the plugin at:
https://fedorahosted.org/389/ticket/20
It worked for me for any existing users, who got the Team attribute set to
'ops'. The task finds them and puts their dn into the group.
But the opposite way did not work:
I changed the Team's value from 'ops' to 'none' and started the task, but the
user's dn is still a member of the group.
Is this the expected behavior?
Yes. The task does not correct existing memberships, it only looks for
entries that need to be added to groups based on the current
auto-membership configuration. Currently, it has no way to know old
configuration values, or how to clean them up. Basically it can only
move forward, not backwards.
Mark
thank you very much,
cheers, Frank
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
