On Mon, Nov 7, 2011 at 08:20, Stephen Gallagher <sgall...@redhat.com> wrote: > On Fri, 2011-11-04 at 17:12 -0400, Dan Scott wrote: >> Hi, >> >> I've just migrated a couple of servers from FreeIPA 1.2 to 2.1. I'm >> almost done. I just have a few custom LDAP searches to migrate. >> >> With the old system, I was trying to look users who are in a >> particular group by their email address i.e. >> >> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com >> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com" >> -x >> >> In version 2, it looks like the memberOf attributes have been removed >> from the user entries and the user group membership information is >> stored only in the 'member' attribute of the individual group entries. > > > memberOf exists, but you have to be connecting to LDAP with an > authenticated user who has privilege to see the memberOf attribute. I > believe (Rob can correct me) this means either an administrator or a > host principal. > > So if you try doing (from an enrolled client): > > kinit -k -t /etc/krb5.keytab host/<fqdn>@IPAREALM > ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=com > "(&(mail={email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com" > > You should get results.
It works! Excellent. Thanks so much. Dan _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users