I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either.
This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --------------- 1 rules matched --------------- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com ---------------------------- Number of entries returned 1 ---------------------------- Thanks, _____________________________________________________ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino <[email protected]> wrote: > On Apr 30, 2013, at 11:02 AM, John Moyer <[email protected]> > wrote: > >> It comes back with a ton of stuff the row you are probably interested in is >> this one: >> >> enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com > > Bingo! > > Ok, try to adjust your automember rule. > > Delete your previous inclusive regex, and replace it with > uid=build,cn=users,cn=accounts,dc=example,dc=com > > See if that does the trick > >> Thanks, >> _____________________________________________________ >> John Moyer >> >> >> On Apr 30, 2013, at 1:57 PM, JR Aquino <[email protected]> wrote: >> >>> On Apr 30, 2013, at 10:52 AM, John Moyer <[email protected]> >>> wrote: >>> >>>> Not a problem, here is the output >>>> >>>> ipa automember-find --type=hostgroup >>>> --------------- >>>> 1 rules matched >>>> --------------- >>>> Automember Rule: test-group >>>> Inclusive Regex: enrolledby=build >>>> ---------------------------- >>>> Number of entries returned 1 >>>> ---------------------------- >>>> >>> >>> interesting. >>> >>> When you do an: ipa host-show test-hostname.example.com --all --raw >>> >>> Does it clearly show that enrolledby=build? >>> >>>> >>>> >>>> Thanks, >>>> _____________________________________________________ >>>> John Moyer >>>> >>>> >>>> On Apr 30, 2013, at 1:48 PM, JR Aquino <[email protected]> wrote: >>>> >>>>> On Apr 30, 2013, at 10:43 AM, John Moyer <[email protected]> >>>>> wrote: >>>>> >>>>>> One thing to add is that this build user only has the following access: >>>>>> >>>>>> Host Administrators >>>>>> Host enrollment >>>>>> >>>>>> Would he need more access to do the membership? My original thought was >>>>>> that technically the user is not doing the addition to the group it's >>>>>> the system technically doing it so there shouldn't be a permissions >>>>>> issue. >>>>>> >>>>> >>>>> The user's roles shouldn't really matter to the best of my knowledge >>>>> (Nathan Kinder may need to refresh my memory), but the 389 plugin, should >>>>> be catching the insertion of the new object, then match the >>>>> watched-attribute, and execute the hostgroup assignment based upon the >>>>> rights of the plugin rather than that of the user. >>>>> >>>>> Would it be possible to ask you to do an automember-find --type=hostgroup >>>>> on the CLI and send it back to the thread? >>>>> >>>>> If we are missing something or if we have any bugs in there, we need to >>>>> get them identified and fixed. >>>>> >>>>> >>>>>> Thanks, >>>>>> _____________________________________________________ >>>>>> John Moyer >>>>>> On Apr 30, 2013, at 1:21 PM, JR Aquino <[email protected]> wrote: >>>>>> >>>>>>> >>>>>>> On Apr 30, 2013, at 9:30 AM, John Moyer >>>>>>> <[email protected]<mailto:[email protected]>> >>>>>>> wrote: >>>>>>> >>>>>>> Anyone have any suggestions to using the auto member function in IPA? >>>>>>> I've tried to set it up so if a server is enrolled by a user called >>>>>>> "build" then it should add it to a specific server group. I put in an >>>>>>> inclusive rule and the expression is just "build", but it doesn't work. >>>>>>> Do I need to specify more than just build in the expression area? >>>>>>> >>>>>>> >>>>>>> That -should- be enough to catch new hosts that are built by the >>>>>>> 'build' user. >>>>>>> >>>>>>> Can you verify that the Attribute you are matching on is: "enrolledby" ? >>>>>>> >>>>>>> >>>>>>> "Keeping your head in the cloud" >>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>>> Jr Aquino | Sr. Information Security Specialist >>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>>>> GCIH | GIAC Certified Incident Handler >>>>>>> GWAPT | GIAC WebApp Penetration Tester >>>>>>> >>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA >>>>>>> 93117<x-apple-data-detectors://0/0> >>>>>>> T: +1 805.690.3478<tel:+1%C2%A0805.690.3478> >>>>>>> C: +1 805.717.0365<tel:+1%20805.717.0365> >>>>>>> [email protected]<mailto:[email protected]> >>>>>>> http://www.citrixonline.com<http://www.citrixonline.com/> >>>>>>> >>>>>>> "Keeping your head in the cloud" >>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>>> Jr Aquino | Sr. Information Security Specialist >>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>>>> GCIH | GIAC Certified Incident Handler >>>>>>> GWAPT | GIAC WebApp Penetration Tester >>>>>>> >>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA >>>>>>> 93117<x-apple-data-detectors://0/0> >>>>>>> T: +1 805.690.3478<tel:+1%C2%A0805.690.3478> >>>>>>> C: +1 805.717.0365<tel:+1%20805.717.0365> >>>>>>> [email protected]<mailto:[email protected]> >>>>>>> http://www.citrixonline.com<http://www.citrixonline.com/> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> _____________________________________________________ >>>>>>> John Moyer >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Freeipa-users mailing list >>>>>>> [email protected]<mailto:[email protected]> >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> >>>>>> >>>>> >>>> >>> >> > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
