A detached UPG should become a regular group so should have its objectclass set to the default OC list for groups (adding groupofnames might not be enough).
This is going to be trickier than I thought.
When a UPG is created it doesn't have the ipaObject objectclass which requires ipaUniqueId. We can't add this because this is generated by IPA and the entry is created by DS.
I'm discussing with Nathan some options including adding this when the group is converted and/or added.
We can probably do another operation in the user-create post_callback that adds this. The tricky part is that we disallow writes to ipaUniqueId so we'll need a filter that is very specific.
Something like:
(targetattr="ipaUniqueId")(targetfilter=(&(cn=*,cn=groups,cn=accounts,dc=..)(!(ipaUniqueId=*))))
I think this will allow writes of ipaUniqueId only when there isn't one. May have to tweak this to add objectclass so we can add ipaobject in there too.
This ticket is going to depend on ticket 360.
We are going to see if we can use a DNA-like plugin to generate the UUID for us. Once we have that I can synchronize the objectclasses.
fix group objectclasses freeipa-rcrit-593-group.patch
master: 53d1553
To test this do:
# ipa user-add --first=Tim --last=User tuser # ipa group-show tuser --all [ note the objectclasses ] # ipa group-detach tuser # ipa group-show --all tuser
It should now be a full POSIX group with a ipaUniqueId and a full set of objectclass. You should be able to add a user to it.
# ipa group-add-member --users=tuser tuser
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.0 - 2010/11
Login to comment on this ticket.