Does Managed Entry Definition with a modify operation only triggers by changing the RDN (i.e. uid)

[fostermi]

I'm setting up the MEP plugin to create User Private Groups for posixAccounts as described here: https://www.port389.org/docs/389ds/design/managed-entry-design.html. I have existing users that I'd like to configure as posixAccounts and have their UPG created.

It works fine when creating new accounts, but supposedly its supposed to work with modify operations as well. However, modifying an entry to create their posix attributes (account, loginShell, uidNumber, etc) don't trigger the plugin. Furthermore, I've found that the only attribute that will trigger the plugin and create the user private groups is by changing the RDN (in my caseuid) of the user, which isn't ideal. I can change the uid, which triggers the plugin creating the posixGroup, and change it back to the original uid, but that's not a great solution as if there is a directory sync in between those two events, then any application configured to use uid as its username then will probably do something not nice like create a duplicate account.

Is changing the RDN the only way to trigger the plugin and not any random attribute?

[fostermi]

Ah, for the record, I don't need the MEP functionality for my purposes. Per RedHat, when using SSSD for auth, there is a config setting auto_private_groups whereby the host will create these groups automatically removing the necessity of managing another group object in LDAP for this, which is better.

[tbordaz]

Hi @fostermi , managed entry plugin create a "managed entry" only if the origin entry fulfill requirement (scope, filter,..). This is why it is triggered only on ADD/MODRDN. On MOD it is triggered at the condition the targeted entry is already an 'origin entry' (mepManagedEntry).