Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-10268

FreeIPA memberOf caveats with Ops Manager

    XMLWordPrintableJSON

Details

    • Icon: Improvement Improvement
    • Resolution: Won't Fix
    • Icon: Major - P3 Major - P3
    • None
    • None
    • Ops Manager
    • None

    Description

      Some background

      FreeIPA stores and publishes an alternate tree containing a compatibility view of user objects using an RFC 2307 schema. This alternate tree is published in cn=users,cn=compat,dc=example,dc=com. The users branch will not copy the memberOf attribute and thus will not return group membership.

      Weird caveats

      As we rely on memberOf to return the group membership listing, we need to ensure that the baseDN is selective enough to avoid the compat branch, I.e. cn=users,cn=accounts,dc=example,dc=com.

      I have also found that using the mail search attribute will bypass searching the compat branch, whereas using the uid search attribute will not. I am unsure of how these attributes differentiate to understand why this happens.

      Attachments

        Activity

          People

            Unassigned Unassigned
            byron.grogan Byron Grogan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              6 years, 39 weeks ago