Perry Smith wrote: > > >> On Oct 11, 2018, at 12:51 AM, Alexander Bokovoy via FreeIPA-users >> <freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org>> wrote: >> >> On ke, 10 loka 2018, Perry Smith via FreeIPA-users wrote: >>> Two questions for this group: >>> >>> 1) Is there a way to get it to not look for the SRV record in the >>> first place? >>> >>> 2) On a completely different topic, how do I install the “memberof” >>> plug-in? >>> At least, I think that’s what I need / want. I need to do LDAP >>> filter for members >>> of a group and currently my LDAP records do not have memberof but >>> instead have >>> memberUid (and that is only in compat and not in accounts) >>> >>> I hope its ok to mix two questions into one email. >> It would be if you'd provide more details to allow helping you. How are >> you inferring that there is no 'memberof' plugin enabled? FreeIPA does >> not allow to retrieve membership information for non-authenticated >> connections from the primary subtree (cn=accounts,$SUFFIX). If you are >> checking without authentication, that's your problem. > > The DNS issue was hard to solve but I finally managed to get the bind9 > and freeipa code > from ppa:freeipa/staging so the DNS is working and the ipa command line > commands no > longer pause 30 seconds. > > The LDAP question was solved as Alexander suggested — by authenticating > first. I’m > curious what the reason is for this? From the compat entries, one can > deduce the > members of the groups.
The groups a user is in is not a secret but memberof contains more than just group membership. It also includes what permissions in IPA the user has, HBAC rules, sudo rules and more. That is what we want to protect. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
