Hello, I have an non-IPA aware application to succssfuly login users from IPA's LDAP. However, I cannot make it work with group membership. It seems that the LDAP filter is not working and using LDAP search proves that the app is not wrong.
So, what I have: myself (ptselios) member of the group grafana-adms. The group is stored as: ldapsearch -x -W -D "uid=nonipaapps,cn=sysaccounts,cn=etc,dc=example,dc=com" -b "cn=groups,cn=accounts,dc=example,dc=com" "(&(objectClass=groupOfNames)(cn=grafana-adms))" -h localhost -p 389 -s sub dn: cn=grafana-adms,cn=groups,cn=accounts,dc=example,dc=com member: uid=ptselios,cn=users,cn=accounts,dc=example,dc=com member: uid=anotheruser,cn=users,cn=accounts,dc=example,dc=com ipaNTSecurityIdentifier: S-1-5-21-120251393-583861438-3385547448-1050 objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup objectClass: ipantgroupattrs cn: grafana-adms description:: blabla ipaUniqueID: ccc54368-ce1d-11e8-b523-06db1b82a33a gidNumber: 690200050 Now, when I search with the memberuid I get an empty response: ldapsearch -x -W -D "uid=nonipaapps,cn=sysaccounts,cn=etc,dc=example,dc=com" -b "cn=groups,cn=accounts,dc=example,dc=com" "(&(objectClass=groupOfNames)(memberuid=ptselios))" -h localhost -p 389 -s sub # search result search: 2 result: 0 Success # numResponses: 1 Obviously, the filter is wrong, but what is the correct one? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org