Thank you for the proposal, Rob! How urgent is it? Is 1.3.6 acceptable for you?

It has only come up in IPA a few times so it isn't super hot. If you can fit it into 1.3.6 that would be great.

The way to reproduce manually in IPA is to:

• Do a default install which will enable user-private groups
• Add a user which will create a group of the same name, managed by the user
• Detach the group from the user using ipa group-detach username
• Delete the user
• Use ldapmodify to add mepManagedEntry to the group objectclass and set mepManagedBy to the DN of the user. So now we have only half of the management in place.
• Try to delete the group, you'll get: ipa: ERROR: Deleting a managed group is not allowed. It must be detached first.

Note I don't think you even need to delete the user because the user now lacks the managed entries attributes, so I assume some search is happening today.

Thanks for your input, Rob!
There should not be a problem to set the target to 1.3.6.
We are going to decide it in tomorrow's triage. ;)

Related? http://directory.fedoraproject.org/docs/389ds/design/mep-rework.html

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/2007

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.