Hi Mark, thanks for the quick reply. -) cheers, Frank On Friday, March 04, 2016 11:16:46 AM Mark Reynolds wrote: > On 03/04/2016 08:59 AM, Frank Munsche wrote: > > Hi Guys, > > > > I try to get the automembership plugin configured and running in the right > > way, but it still causes some headaches. > > > > > > I'm running CentOS 6.7 and the following 389 packages: > > > > 389-ds-base-1.2.11.15-69.el6_7.x86_64 > > 389-ds-base-libs-1.2.11.15-69.el6_7.x86_64 > > > > > > I followed the guide at > > > > http://directory.fedoraproject.org/docs/389ds/design/automember-design.htm > > l > > > > and created a group, where the members should be automatically added: > > > > > > dn: cn=users,ou=app,ou=groups,dc=example,dc=com > > description: users group > > objectClass: top > > objectClass: groupofnames > > cn: users > > > > > > And the corresponding auto membership plugin entry: > > > > > > dn: cn=users,cn=Auto Membership Plugin,cn=plugins,cn=config > > cn: users > > objectclass: top > > objectclass: autoMemberDefinition > > autoMemberScope: dc=example,dc=com > > autoMemberFilter: Team=ops > > autoMemberDefaultGroup: cn=users,ou=app,ou=groups,dc=example,dc=com > > autoMemberGroupingAttr: member:dn > > > > > > After that, I added a user who got the Team attribute (own schema > > extension) set to 'ops' > > > > > > dn: uid=foo,ou=people,dc=example,dc=com > > objectClass: top > > objectClass: posixAccount > > objectClass: organizationalPerson > > objectClass: inetorgPerson > > objectClass: person > > objectClass: shadowAccount > > objectClass: ldapPublicKey > > objectClass: bopsUser > > objectClass: inetuser > > uid: foo > > uidNumber: 2222 > > gidNumber: 2222 > > homeDirectory: /home/foo > > loginShell: /bin/bash > > cn: foo bar > > givenName: foo > > sn: bar > > gecos: foo bar > > mail: foo.bar@xxxxxxxxxxx > > Team: ops > > > > > > A ldapsearch for the groups member attribute shows the user's dn being > > added automatically: > > > > # users, app, groups, bildops.de > > dn: cn=users,ou=app,ou=groups,dc=example,dc=com > > member: uid=foo,ou=people,dc=example,dc=com > > > > > > When the user entry is removed, the membership also disappears. > > But whenever I just changed the Team attribute of an existing user, the > > membership did not change. > > > > I found a page describing a rebuild task implemented in the plugin at: > > > > https://fedorahosted.org/389/ticket/20 > > > > It worked for me for any existing users, who got the Team attribute set to > > 'ops'. The task finds them and puts their dn into the group. > > > > But the opposite way did not work: > > I changed the Team's value from 'ops' to 'none' and started the task, but > > the user's dn is still a member of the group. > > > > Is this the expected behavior? > > Yes. The task does not correct existing memberships, it only looks for > entries that need to be added to groups based on the current > auto-membership configuration. Currently, it has no way to know old > configuration values, or how to clean them up. Basically it can only > move forward, not backwards. > > Mark > > > thank you very much, > > > > > > cheers, Frank > > > > > > -- > > 389 users mailing list > > 389-users@%(host_name)s > > http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.o > > rg > -- > 389 users mailing list > 389-users@%(host_name)s > http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx -- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
