[DOCS-10268] FreeIPA memberOf caveats with Ops Manager Created: 17/May/17  Updated: 28/May/17  Resolved: 28/May/17

Status: Closed
Project: Documentation
Component/s: Ops Manager
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Byron Grogan Assignee: Unassigned
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:
Days since reply: 6 years, 39 weeks ago

 Description   
Some background

FreeIPA stores and publishes an alternate tree containing a compatibility view of user objects using an RFC 2307 schema. This alternate tree is published in cn=users,cn=compat,dc=example,dc=com. The users branch will not copy the memberOf attribute and thus will not return group membership.

Weird caveats

As we rely on memberOf to return the group membership listing, we need to ensure that the baseDN is selective enough to avoid the compat branch, I.e. cn=users,cn=accounts,dc=example,dc=com.

I have also found that using the mail search attribute will bypass searching the compat branch, whereas using the uid search attribute will not. I am unsure of how these attributes differentiate to understand why this happens.


Generated at Thu Feb 08 08:00:10 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.