Thanks a lot Flo. ________________________________ From: Florence Blanc-Renaud <f...@redhat.com> Sent: 20 May 2022 13:12 To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> Cc: Angus Clarke <an...@charworth.com> Subject: Re: [Freeipa-users] hostgroup automember rules
Hi, On Fri, May 20, 2022 at 11:48 AM Angus Clarke via FreeIPA-users <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> wrote: Hello FreeIPA 4.6.8 We are very happy with hostgroup automember rules based on servername attribute however one of our internal customers uses a generic servername template for all of their servers regardless of its function. So I'm wondering what other attributes I might use for hostgroup automember - perhaps some of the attributes can be configured by the ipa-client-install (the host's "description" field perhaps) although I don't see such mention in the man page ... Presumably they could use a different enrollment user ("enrolledby") for each of their hostgroup functions (not ideal.) There are various attribute fields in the WebUI but I don't find much documentation for them. What is the "|" field - perhaps I can exploit this somehow? The automember group functionality is described in this chapter: Automating group membership using IdM CLI<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fdocumentation%2Fen-us%2Fred_hat_enterprise_linux%2F8%2Fhtml%2Fmanaging_idm_users_groups_hosts_and_access_control_rules%2Fautomating-group-membership-using-idm-cli_managing-users-groups-hosts%23doc-wrapper&data=05%7C01%7C%7Cb6d74a98ce3c4a191ed808da3a51b223%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637886419797093673%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zntaNdlnuy4BoZggjoR6DUyxUIVnvgb8Sn0kUA2AStE%3D&reserved=0>. You can define a new hostgroup with an automember rule based on any attribute defined in the schema. Just be aware that the conditions are defined using Perl-compatible regular expressions (PCRE) format. The 'l' attribute is an alias for 'locality' or 'localityname' and can contain any string. For any attribute you can find its description in the LDAP schema. The host entries have multiple object classes. For instance if you run ipa host-show server.ipa.test --all --raw you can see all its objectclasses: objectClass: top objectClass: ipaobject objectClass: nshost objectClass: ipahost objectClass: ipaservice objectClass: pkiuser objectClass: krbprincipalaux objectClass: krbprincipal objectClass: krbticketpolicyaux objectClass: ipasshhost objectClass: ipaSshGroupOfPubKeys Each object class defines the mandatory/optional attributes that the entry can contain. For instance in order to find the attributes for the nshost objectclass: ldapsearch -LLL -o ldif-wrap=no -b cn=schema -s base objectclasses | grep -i nshost objectclasses: ( nsHost-oid NAME 'nsHost' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MUST cn MAY ( serverHostName $ description $ l $ nsHostLocation $ nsHardwarePlatform $ nsOsVersion ) X-ORIGIN 'Netscape' ) The nshost objectclass allows the presence of serverhostname, description, l etc... Now to find what description can contain: ldapsearch -LLL -o ldif-wrap=no -b cn=schema -s base attributetypes | grep -i description attributetypes: ( 2.5.4.13 NAME 'description' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 4519' ) The SYNTAX part defines the type of data (the RFC 4517<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc4517%23section-3.3.6&data=05%7C01%7C%7Cb6d74a98ce3c4a191ed808da3a51b223%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637886419797093673%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vGaicO1JVQIr5rueD8%2FcndBgf8lvUyblmnz8Nba2qCU%3D&reserved=0> defines 1.3.6.1.4.1.1466.115.121.1.15 as a DirectoryString). With this knowledge, you can pick an attribute where you want to store information that can be used to group the hosts together, and create the matching rule using this attribute. If you are curious about LDAP schema in general, you can read the RFC 4519<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Frfc%2Frfc4519.txt&data=05%7C01%7C%7Cb6d74a98ce3c4a191ed808da3a51b223%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637886419797093673%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6JOgDQgg1b6n209BSheguhWB7r5WXYgAUaAxNMlfRTk%3D&reserved=0>. HTH, flo Any advice gladly received. Thanks a lot Angus _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=05%7C01%7C%7Cb6d74a98ce3c4a191ed808da3a51b223%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637886419797093673%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=19%2F5qvc6TANkgg66NTKjstHJgBheM7H64NgBGKxXaWE%3D&reserved=0> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=05%7C01%7C%7Cb6d74a98ce3c4a191ed808da3a51b223%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637886419797093673%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=H%2BjgKyY%2Fua7UI09oK%2BWcDgmggcoIs1erkGGhpw6FjAA%3D&reserved=0> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.org&data=05%7C01%7C%7Cb6d74a98ce3c4a191ed808da3a51b223%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637886419797093673%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=x7KpwRXU3i6N0UX8D2Z%2BFvTZwRrAU4KDjCra994m%2Fn0%3D&reserved=0> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure&data=05%7C01%7C%7Cb6d74a98ce3c4a191ed808da3a51b223%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637886419797093673%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=MhFwSkkL0ERA2OyT%2FieKOSkPFiLaUU%2Bp0oFAkEp71Ng%3D&reserved=0>
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure