There are two parts here.
ipaExternalGroup is only handled for trust to AD configurations. The compat tree configuration for that is only set up when you run ipa-adtrust-install --enable-compat on the specific master (turning the master into a trust controller). When you have no external group members configured for some external groups (this is a concept in IPA, 'ipa group-add --external' and 'ipa group-add-member --external'), and these groups aren't included into some POSIX groups, you should not see any of AD groups pulled in.
Second part is actual addition of the 'objectclass: ipaExternalGroup' into the entries under cn=groups,cn=compat,$BASEDN. This happens after /usr/share/ipa/updates/50-externalmembers.update file is automatically imported on IPA upgrade. The file content is:
$ cat install/updates/50-externalmembers.update dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config addifexist: schema-compat-entry-attribute: ipaexternalmember=%deref_r("member","ipaexternalmember") addifexist: schema-compat-entry-attribute: objectclass=ipaexternalgroup
The upgrade should happen during replica deployment as one of last steps before enabling optional services. You can see that in the replica installation log with 'Applying LDAP updates'. But I think there might be an ordering discrepancy because the base compat tree configuration is in install/updates/80-schema_compat.update so it is ran after 50-externalmembers.update. And since at that point cn=groups,cn=Schema ... does not exist yet, it is not applied.
Metadata Update from @abbra: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1801791 - Issue assigned to abbra - Issue set to the milestone: FreeIPA 4.6
PR: https://github.com/freeipa/freeipa/pull/4229
master:
ipa-4-8:
ipa-4-7:
ipa-4-6:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Failed to apply patches onto origin/ipa-4-6. Manual backport is needed.
Metadata Update from @cheimes: - Issue status updated to: Open (was: Closed)
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.