On Mon, Nov 7, 2011 at 08:20, Stephen Gallagher <sgall...@redhat.com> wrote:
> On Fri, 2011-11-04 at 17:12 -0400, Dan Scott wrote:
>> Hi,
>> I've just migrated a couple of servers from FreeIPA 1.2 to 2.1. I'm
>> almost done. I just have a few custom LDAP searches to migrate.
>> With the old system, I was trying to look users who are in a
>> particular group by their email address i.e.
>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
>> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
>> -x
>> In version 2, it looks like the memberOf attributes have been removed
>> from the user entries and the user group membership information is
>> stored only in the 'member' attribute of the individual group entries.
> memberOf exists, but you have to be connecting to LDAP with an
> authenticated user who has privilege to see the memberOf attribute. I
> believe (Rob can correct me) this means either an administrator or a
> host principal.
> So if you try doing (from an enrolled client):
> kinit -k -t /etc/krb5.keytab host/<fqdn>@IPAREALM
> ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=com
> "(&(mail={email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
> You should get results.

It works! Excellent. Thanks so much.


Freeipa-users mailing list

Reply via email to