On 11/04/2011 05:12 PM, Dan Scott wrote:
On Fri, Nov 4, 2011 at 19:07, Rich Megginson<rmegg...@redhat.com> wrote:
On 11/04/2011 04:51 PM, Dan Scott wrote:
Hi,
On Fri, Nov 4, 2011 at 18:13, Rob Crittenden<rcrit...@redhat.com> wrote:
Dan Scott wrote:
Hi,
On Fri, Nov 4, 2011 at 17:38, Stephen Ingram<sbing...@gmail.com>
wrote:
On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott<danieljamessc...@gmail.com>
wrote:
ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
-x
In version 2, it looks like the memberOf attributes have been removed
from the user entries and the user group membership information is
stored only in the 'member' attribute of the individual group entries.
Can someone help me modify the above command so that I can find users,
using their email address, who are also members of a particular group?
Preferably using one command.
Dan-
It looks like you are missing the cn=accounts in your filter:
ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)"
-x ...
Thanks for spotting that, it was an error from when I was removing my
domain information.
However, the problem remains that the memberOf attributes don't exist
in FreeIPA V2, so I need to figure out another way to do the search.
Thanks,
Dan
memberof should exist. memberof should be calculated on the fly from the
member information. I'm not sure why you aren't seeing it.
You can try this, substituting for your domain:
# /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D 'cn=directory
manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v
This should rebuild the memberof values.
Thanks for the tip, but it doesn't seem to be working. I run the
command and get a response. It says:
adding new entry "cn=memberOf_fixup_2011_11_4_18_46_11, cn=memberOf
task, cn=tasks, cn=config"
modify complete
But the memberOf attributes don't appear (on either server - I have 2
servers replicating).
There are a couple of suspicious errors in the dirsrv log file:
[04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
entries set up under cn=ng, cn=compat, dc=example,dc=com
[04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
entries set up under ou=SUDOers, dc=example,dc=com
[04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
should be added before the CoS Definition.
[04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
should be added before the CoS Definition.
The other server contains similar lines and also shows some errors
when I rebooted the first server. But eventually it shows:
Replication bind with GSSAPI auth resumed
So I guess it's all OK?
I don't see any problems there.
Do you have objectclass: inetUser in your user entries?
Yep. That attribute exists for all of the users that I checked.
Find a user that should exist in a group e.g. uid=dscott,...the rest of
the dn...
do a search for the group that should contain that user e.g.
ldapsearch -x dc=example,dc=com '(member=uid=dscott,...the rest of the
dn...)'
Does it return the group entry?
Dan
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
