On 04/30/2013 10:48 AM, JR Aquino wrote:
On Apr 30, 2013, at 10:43 AM, John Moyer <john.mo...@digitalreasoning.com>
  wrote:

One thing to add is that this build user only has the following access:

Host Administrators
Host enrollment

Would he need more access to do the membership?  My original thought was that 
technically the user is not doing the addition to the group it's the system 
technically doing it so there shouldn't be a permissions issue.

The user's roles shouldn't really matter to the best of my knowledge (Nathan 
Kinder may need to refresh my memory), but the 389 plugin, should be catching 
the insertion of the new object, then match the watched-attribute, and execute 
the hostgroup assignment based upon the rights of the plugin rather than that 
of the user.
This is correct. The user doesn't matter, as the operation that deals with the group membership is done internally by the AutoMember plug-in.

Would it be possible to ask you to do an automember-find --type=hostgroup on 
the CLI and send it back to the thread?

If we are missing something or if we have any bugs in there, we need to get 
them identified and fixed.


Thanks,
_____________________________________________________
John Moyer
On Apr 30, 2013, at 1:21 PM, JR Aquino <jr.aqu...@citrix.com> wrote:

On Apr 30, 2013, at 9:30 AM, John Moyer 
<john.mo...@digitalreasoning.com<mailto:john.mo...@digitalreasoning.com>> wrote:

Anyone have any suggestions to using the auto member function in IPA?  I've tried to set it up so 
if a server is enrolled by a user called "build" then it should add it to a specific 
server group.   I put in an inclusive rule and the expression is just "build", but it 
doesn't work.  Do I need to specify more than just build in the expression area?


That -should- be enough to catch new hosts that are built by the 'build' user.

Can you verify that the Attribute you are matching on is: "enrolledby" ?


"Keeping your head in the cloud"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino | Sr. Information Security Specialist
GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
GCIH | GIAC Certified Incident Handler
GWAPT | GIAC WebApp Penetration Tester

Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117<x-apple-data-detectors://0/0>
T:  +1 805.690.3478<tel:+1%C2%A0805.690.3478>
C: +1 805.717.0365<tel:+1%20805.717.0365>
jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>

"Keeping your head in the cloud"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino | Sr. Information Security Specialist
GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
GCIH | GIAC Certified Incident Handler
GWAPT | GIAC WebApp Penetration Tester

Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117<x-apple-data-detectors://0/0>
T:  +1 805.690.3478<tel:+1%C2%A0805.690.3478>
C: +1 805.717.0365<tel:+1%20805.717.0365>
jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>



Thanks,
_____________________________________________________
John Moyer


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to