On Apr 30, 2013, at 11:12 AM, John Moyer <john.mo...@digitalreasoning.com>
 wrote:

> I tried adding it in addition to the current rule and that didn't work.  I 
> then deleted the old rule to only leave the rule with the full name 
> (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work 
> either.
> 
> This is the new output of that command you had me run earlier: 
> 
> ipa automember-find --type=hostgroup
> ---------------
> 1 rules matched
> ---------------
>  Automember Rule: test-group
>  Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com
> ----------------------------
> Number of entries returned 1
> ----------------------------
> 

Interesting.

What about if you just do something silly like: ".*build.*"

Nathan... I believe the plugin is set to expect string values... how does it 
handle a DN such as the enrolled by above?

> 
> 
> Thanks, 
> _____________________________________________________
> John Moyer
> 
> 
> On Apr 30, 2013, at 2:07 PM, JR Aquino <jr.aqu...@citrix.com> wrote:
> 
>> On Apr 30, 2013, at 11:02 AM, John Moyer <john.mo...@digitalreasoning.com>
>> wrote:
>> 
>>> It comes back with a ton of stuff the row you are probably interested in is 
>>> this one: 
>>> 
>>> enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com
>> 
>> Bingo!
>> 
>> Ok, try to adjust your automember rule.
>> 
>> Delete your previous inclusive regex, and replace it with 
>> uid=build,cn=users,cn=accounts,dc=example,dc=com
>> 
>> See if that does the trick
>> 
>>> Thanks, 
>>> _____________________________________________________
>>> John Moyer
>>> 
>>> 
>>> On Apr 30, 2013, at 1:57 PM, JR Aquino <jr.aqu...@citrix.com> wrote:
>>> 
>>>> On Apr 30, 2013, at 10:52 AM, John Moyer <john.mo...@digitalreasoning.com>
>>>> wrote:
>>>> 
>>>>> Not a problem, here is the output
>>>>> 
>>>>> ipa automember-find --type=hostgroup
>>>>> ---------------
>>>>> 1 rules matched
>>>>> ---------------
>>>>> Automember Rule: test-group
>>>>> Inclusive Regex: enrolledby=build
>>>>> ----------------------------
>>>>> Number of entries returned 1
>>>>> ----------------------------
>>>>> 
>>>> 
>>>> interesting.
>>>> 
>>>> When you do an: ipa host-show test-hostname.example.com --all --raw
>>>> 
>>>> Does it clearly show that enrolledby=build?
>>>> 
>>>>> 
>>>>> 
>>>>> Thanks, 
>>>>> _____________________________________________________
>>>>> John Moyer
>>>>> 
>>>>> 
>>>>> On Apr 30, 2013, at 1:48 PM, JR Aquino <jr.aqu...@citrix.com> wrote:
>>>>> 
>>>>>> On Apr 30, 2013, at 10:43 AM, John Moyer 
>>>>>> <john.mo...@digitalreasoning.com>
>>>>>> wrote:
>>>>>> 
>>>>>>> One thing to add is that this build user only has the following access: 
>>>>>>> 
>>>>>>> Host Administrators
>>>>>>> Host enrollment 
>>>>>>> 
>>>>>>> Would he need more access to do the membership?  My original thought 
>>>>>>> was that technically the user is not doing the addition to the group 
>>>>>>> it's the system technically doing it so there shouldn't be a 
>>>>>>> permissions issue. 
>>>>>>> 
>>>>>> 
>>>>>> The user's roles shouldn't really matter to the best of my knowledge 
>>>>>> (Nathan Kinder may need to refresh my memory), but the 389 plugin, 
>>>>>> should be catching the insertion of the new object, then match the 
>>>>>> watched-attribute, and execute the hostgroup assignment based upon the 
>>>>>> rights of the plugin rather than that of the user.
>>>>>> 
>>>>>> Would it be possible to ask you to do an automember-find 
>>>>>> --type=hostgroup on the CLI and send it back to the thread?
>>>>>> 
>>>>>> If we are missing something or if we have any bugs in there, we need to 
>>>>>> get them identified and fixed.
>>>>>> 
>>>>>> 
>>>>>>> Thanks, 
>>>>>>> _____________________________________________________
>>>>>>> John Moyer
>>>>>>> On Apr 30, 2013, at 1:21 PM, JR Aquino <jr.aqu...@citrix.com> wrote:
>>>>>>> 
>>>>>>>> 
>>>>>>>> On Apr 30, 2013, at 9:30 AM, John Moyer 
>>>>>>>> <john.mo...@digitalreasoning.com<mailto:john.mo...@digitalreasoning.com>>
>>>>>>>>  wrote:
>>>>>>>> 
>>>>>>>> Anyone have any suggestions to using the auto member function in IPA?  
>>>>>>>> I've tried to set it up so if a server is enrolled by a user called 
>>>>>>>> "build" then it should add it to a specific server group.   I put in 
>>>>>>>> an inclusive rule and the expression is just "build", but it doesn't 
>>>>>>>> work.  Do I need to specify more than just build in the expression 
>>>>>>>> area?
>>>>>>>> 
>>>>>>>> 
>>>>>>>> That -should- be enough to catch new hosts that are built by the 
>>>>>>>> 'build' user.
>>>>>>>> 
>>>>>>>> Can you verify that the Attribute you are matching on is: "enrolledby" 
>>>>>>>> ?
>>>>>>>> 
>>>>>>>> 
>>>>>>>> "Keeping your head in the cloud"
>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>>>> Jr Aquino | Sr. Information Security Specialist
>>>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
>>>>>>>> GCIH | GIAC Certified Incident Handler
>>>>>>>> GWAPT | GIAC WebApp Penetration Tester
>>>>>>>> 
>>>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 
>>>>>>>> 93117<x-apple-data-detectors://0/0>
>>>>>>>> T:  +1 805.690.3478<tel:+1%C2%A0805.690.3478>
>>>>>>>> C: +1 805.717.0365<tel:+1%20805.717.0365>
>>>>>>>> jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
>>>>>>>> http://www.citrixonline.com<http://www.citrixonline.com/>
>>>>>>>> 
>>>>>>>> "Keeping your head in the cloud"
>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>>>> Jr Aquino | Sr. Information Security Specialist
>>>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
>>>>>>>> GCIH | GIAC Certified Incident Handler
>>>>>>>> GWAPT | GIAC WebApp Penetration Tester
>>>>>>>> 
>>>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 
>>>>>>>> 93117<x-apple-data-detectors://0/0>
>>>>>>>> T:  +1 805.690.3478<tel:+1%C2%A0805.690.3478>
>>>>>>>> C: +1 805.717.0365<tel:+1%20805.717.0365>
>>>>>>>> jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
>>>>>>>> http://www.citrixonline.com<http://www.citrixonline.com/>
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Thanks,
>>>>>>>> _____________________________________________________
>>>>>>>> John Moyer
>>>>>>>> 
>>>>>>>> 
>>>>>>>> _______________________________________________
>>>>>>>> Freeipa-users mailing list
>>>>>>>> Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>> 
>> 
> 


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to