On Fri, 2011-11-04 at 17:12 -0400, Dan Scott wrote:
> Hi,
> 
> I've just migrated a couple of servers from FreeIPA 1.2 to 2.1. I'm
> almost done. I just have a few custom LDAP searches to migrate.
> 
> With the old system, I was trying to look users who are in a
> particular group by their email address i.e.
> 
> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
> -x
> 
> In version 2, it looks like the memberOf attributes have been removed
> from the user entries and the user group membership information is
> stored only in the 'member' attribute of the individual group entries.


memberOf exists, but you have to be connecting to LDAP with an
authenticated user who has privilege to see the memberOf attribute. I
believe (Rob can correct me) this means either an administrator or a
host principal.

So if you try doing (from an enrolled client):

kinit -k -t /etc/krb5.keytab host/<fqdn>@IPAREALM
ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=com
"(&(mail={email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"

You should get results.

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to