idM / IPA for RedHat 6.3 appears to have a severe bug with the processing of the memberof plugin.
It appears that it is processing group objects which contain a member attribute properly, but is ignoring the memberof fixup/referential integrity modifications to group objects that contain memberHost or memberUser. Both of which are critical for idM/IPA in Red Hat Enterprise Linux
This breaks SSSD interactions, since the client looks for the node object to refer back up to the groups that it is a member of.
RHEL6 Replica Server Entry: dn: fqdn=testhost1.example.com,cn=computers,cn=accounts,dc=example,dc=com memberOf: cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com
Fedora Replica Sever Entry: memberOf: cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com memberOf: cn=prod,cn=ng,cn=alt,dc=example,dc=com memberOf: ipaUniqueID=4cd496aa-1ac8-11e1-b3fb-9c8e9927cab0,cn=hbac,dc=example,dc=com memberOf: ipaUniqueID=50f72680-1ac8-11e1-b789-9c8e9927cab0,cn=hbac,dc=example,dc=com memberOf: ipaUniqueID=53e31ce6-1ac8-11e1-8820-9c8e9927cab0,cn=hbac,dc=example,,dc=com memberOf: ipaUniqueID=5a03f7c6-1ac8-11e1-bdca-9c8e9927cab0,cn=hbac,dc=example,dc=com memberOf: ipaUniqueID=5a712b16-1ac8-11e1-8ec6-9c8e9927cab0,cn=hbac,dc=example,dc=com memberOf: ipaUniqueID=62e324d4-1ac8-11e1-ae48-9c8e9927cab0,cn=hbac,dc=example,dc=com memberOf: ipaUniqueID=7a633fc2-1ac8-11e1-bcf6-9c8e9927cab0,cn=sudorules,cn=sudo,dc=example,dc=com memberOf: ipaUniqueID=8ac6765e-1ac8-11e1-ba2e-9c8e9927cab0,cn=sudorules,cn=sudo,dc=example,dc=com memberOf: ipaUniqueID=8e69d94a-1ac8-11e1-b01d-9c8e9927cab0,cn=sudorules,cn=sudo,dc=example,dc=com memberOf: ipaUniqueID=a1678ff6-1ac8-11e1-ba2e-9c8e9927cab0,cn=sudorules,cn=sudo,dc=example,dc=com memberOf: ipaUniqueID=af86055e-1ac8-11e1-94c1-9c8e9927cab0,cn=sudorules,cn=sudo,dc=example,dc=com
This issue was not reprducible with a fresh IPA install and replica (by myself or the reporter). Closing this ticket.
Metadata Update from @nkinder: - Issue assigned to rmeggins - Issue set to the milestone: N/A
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/482
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Invalid)
Login to comment on this ticket.