https://bugzilla.redhat.com/show_bug.cgi?id=659818
I think this is due to some inconsistencies. An active account belongs to cn=Activated,cn=account inactivation,cn=accounts,dc=ipa,dc=test while an disable account is in cn=inactivated,cn=account inactivation,cn=accounts,dc=ipa,dc=test
To be able to switch from enable to disabled multiple times I needed to change:
[root@ipaserver ~]# diff -Nurb /usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py.orig /usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py --- /usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py.orig 2010-12-23 15:35:26.766859586 +0100 +++ /usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py 2010-12-23 15:16:34.796157048 +0100 @@ -920,7 +920,7 @@ is_member = False member_of_attr = entry_attrs.get('memberof', []) for m in member_of_attr: - if m.find('cn=activated') >= 0 or m.find('cn=inactivated') >=0: + if m.find('cn=Activated') >= 0 or m.find('cn=inactivated') >=0: is_member = True break if not is_member and entry_attrs.has_key('nsaccountlock'):
This is clearly not the right solution, but maybe it helps to find the real issue.
I'm going to drop the class of service and simply update nsaccountlock directly. The CoS was used in early v1 development to do group-based inactivation. We dropped that but left the CoS work in case we ever wanted to re-add it and it was maintained in v2 for the same reason. Simplicity is better though so I'm going to drop it altogether.
drop CoS in favor of updating nsaccountlock directly freeipa-rcrit-659-lock.patch
master: 4f2a6e0
Metadata Update from @dpal: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.0 - 2011/01 (cleanup)
Login to comment on this ticket.