On Apr 30, 2013, at 11:02 AM, John Moyer <john.mo...@digitalreasoning.com>
 wrote:

> It comes back with a ton of stuff the row you are probably interested in is 
> this one: 
> 
> enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com

Bingo!

Ok, try to adjust your automember rule.

Delete your previous inclusive regex, and replace it with 
uid=build,cn=users,cn=accounts,dc=example,dc=com

See if that does the trick

> Thanks, 
> _____________________________________________________
> John Moyer
> 
> 
> On Apr 30, 2013, at 1:57 PM, JR Aquino <jr.aqu...@citrix.com> wrote:
> 
>> On Apr 30, 2013, at 10:52 AM, John Moyer <john.mo...@digitalreasoning.com>
>> wrote:
>> 
>>> Not a problem, here is the output
>>> 
>>> ipa automember-find --type=hostgroup
>>> ---------------
>>> 1 rules matched
>>> ---------------
>>> Automember Rule: test-group
>>> Inclusive Regex: enrolledby=build
>>> ----------------------------
>>> Number of entries returned 1
>>> ----------------------------
>>> 
>> 
>> interesting.
>> 
>> When you do an: ipa host-show test-hostname.example.com --all --raw
>> 
>> Does it clearly show that enrolledby=build?
>> 
>>> 
>>> 
>>> Thanks, 
>>> _____________________________________________________
>>> John Moyer
>>> 
>>> 
>>> On Apr 30, 2013, at 1:48 PM, JR Aquino <jr.aqu...@citrix.com> wrote:
>>> 
>>>> On Apr 30, 2013, at 10:43 AM, John Moyer <john.mo...@digitalreasoning.com>
>>>> wrote:
>>>> 
>>>>> One thing to add is that this build user only has the following access: 
>>>>> 
>>>>> Host Administrators
>>>>> Host enrollment 
>>>>> 
>>>>> Would he need more access to do the membership?  My original thought was 
>>>>> that technically the user is not doing the addition to the group it's the 
>>>>> system technically doing it so there shouldn't be a permissions issue. 
>>>>> 
>>>> 
>>>> The user's roles shouldn't really matter to the best of my knowledge 
>>>> (Nathan Kinder may need to refresh my memory), but the 389 plugin, should 
>>>> be catching the insertion of the new object, then match the 
>>>> watched-attribute, and execute the hostgroup assignment based upon the 
>>>> rights of the plugin rather than that of the user.
>>>> 
>>>> Would it be possible to ask you to do an automember-find --type=hostgroup 
>>>> on the CLI and send it back to the thread?
>>>> 
>>>> If we are missing something or if we have any bugs in there, we need to 
>>>> get them identified and fixed.
>>>> 
>>>> 
>>>>> Thanks, 
>>>>> _____________________________________________________
>>>>> John Moyer
>>>>> On Apr 30, 2013, at 1:21 PM, JR Aquino <jr.aqu...@citrix.com> wrote:
>>>>> 
>>>>>> 
>>>>>> On Apr 30, 2013, at 9:30 AM, John Moyer 
>>>>>> <john.mo...@digitalreasoning.com<mailto:john.mo...@digitalreasoning.com>>
>>>>>>  wrote:
>>>>>> 
>>>>>> Anyone have any suggestions to using the auto member function in IPA?  
>>>>>> I've tried to set it up so if a server is enrolled by a user called 
>>>>>> "build" then it should add it to a specific server group.   I put in an 
>>>>>> inclusive rule and the expression is just "build", but it doesn't work.  
>>>>>> Do I need to specify more than just build in the expression area?
>>>>>> 
>>>>>> 
>>>>>> That -should- be enough to catch new hosts that are built by the 'build' 
>>>>>> user.
>>>>>> 
>>>>>> Can you verify that the Attribute you are matching on is: "enrolledby" ?
>>>>>> 
>>>>>> 
>>>>>> "Keeping your head in the cloud"
>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>> Jr Aquino | Sr. Information Security Specialist
>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
>>>>>> GCIH | GIAC Certified Incident Handler
>>>>>> GWAPT | GIAC WebApp Penetration Tester
>>>>>> 
>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 
>>>>>> 93117<x-apple-data-detectors://0/0>
>>>>>> T:  +1 805.690.3478<tel:+1%C2%A0805.690.3478>
>>>>>> C: +1 805.717.0365<tel:+1%20805.717.0365>
>>>>>> jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
>>>>>> http://www.citrixonline.com<http://www.citrixonline.com/>
>>>>>> 
>>>>>> "Keeping your head in the cloud"
>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>> Jr Aquino | Sr. Information Security Specialist
>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
>>>>>> GCIH | GIAC Certified Incident Handler
>>>>>> GWAPT | GIAC WebApp Penetration Tester
>>>>>> 
>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 
>>>>>> 93117<x-apple-data-detectors://0/0>
>>>>>> T:  +1 805.690.3478<tel:+1%C2%A0805.690.3478>
>>>>>> C: +1 805.717.0365<tel:+1%20805.717.0365>
>>>>>> jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
>>>>>> http://www.citrixonline.com<http://www.citrixonline.com/>
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Thanks,
>>>>>> _____________________________________________________
>>>>>> John Moyer
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> 
>>>>> 
>>>> 
>>> 
>> 
> 


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to