On Apr 30, 2013, at 11:12 AM, John Moyer <[email protected]> wrote:
> I tried adding it in addition to the current rule and that didn't work. I > then deleted the old rule to only leave the rule with the full name > (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work > either. > > This is the new output of that command you had me run earlier: > > ipa automember-find --type=hostgroup > --------------- > 1 rules matched > --------------- > Automember Rule: test-group > Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com > ---------------------------- > Number of entries returned 1 > ---------------------------- > Interesting. What about if you just do something silly like: ".*build.*" Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? > > > Thanks, > _____________________________________________________ > John Moyer > > > On Apr 30, 2013, at 2:07 PM, JR Aquino <[email protected]> wrote: > >> On Apr 30, 2013, at 11:02 AM, John Moyer <[email protected]> >> wrote: >> >>> It comes back with a ton of stuff the row you are probably interested in is >>> this one: >>> >>> enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com >> >> Bingo! >> >> Ok, try to adjust your automember rule. >> >> Delete your previous inclusive regex, and replace it with >> uid=build,cn=users,cn=accounts,dc=example,dc=com >> >> See if that does the trick >> >>> Thanks, >>> _____________________________________________________ >>> John Moyer >>> >>> >>> On Apr 30, 2013, at 1:57 PM, JR Aquino <[email protected]> wrote: >>> >>>> On Apr 30, 2013, at 10:52 AM, John Moyer <[email protected]> >>>> wrote: >>>> >>>>> Not a problem, here is the output >>>>> >>>>> ipa automember-find --type=hostgroup >>>>> --------------- >>>>> 1 rules matched >>>>> --------------- >>>>> Automember Rule: test-group >>>>> Inclusive Regex: enrolledby=build >>>>> ---------------------------- >>>>> Number of entries returned 1 >>>>> ---------------------------- >>>>> >>>> >>>> interesting. >>>> >>>> When you do an: ipa host-show test-hostname.example.com --all --raw >>>> >>>> Does it clearly show that enrolledby=build? >>>> >>>>> >>>>> >>>>> Thanks, >>>>> _____________________________________________________ >>>>> John Moyer >>>>> >>>>> >>>>> On Apr 30, 2013, at 1:48 PM, JR Aquino <[email protected]> wrote: >>>>> >>>>>> On Apr 30, 2013, at 10:43 AM, John Moyer >>>>>> <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> One thing to add is that this build user only has the following access: >>>>>>> >>>>>>> Host Administrators >>>>>>> Host enrollment >>>>>>> >>>>>>> Would he need more access to do the membership? My original thought >>>>>>> was that technically the user is not doing the addition to the group >>>>>>> it's the system technically doing it so there shouldn't be a >>>>>>> permissions issue. >>>>>>> >>>>>> >>>>>> The user's roles shouldn't really matter to the best of my knowledge >>>>>> (Nathan Kinder may need to refresh my memory), but the 389 plugin, >>>>>> should be catching the insertion of the new object, then match the >>>>>> watched-attribute, and execute the hostgroup assignment based upon the >>>>>> rights of the plugin rather than that of the user. >>>>>> >>>>>> Would it be possible to ask you to do an automember-find >>>>>> --type=hostgroup on the CLI and send it back to the thread? >>>>>> >>>>>> If we are missing something or if we have any bugs in there, we need to >>>>>> get them identified and fixed. >>>>>> >>>>>> >>>>>>> Thanks, >>>>>>> _____________________________________________________ >>>>>>> John Moyer >>>>>>> On Apr 30, 2013, at 1:21 PM, JR Aquino <[email protected]> wrote: >>>>>>> >>>>>>>> >>>>>>>> On Apr 30, 2013, at 9:30 AM, John Moyer >>>>>>>> <[email protected]<mailto:[email protected]>> >>>>>>>> wrote: >>>>>>>> >>>>>>>> Anyone have any suggestions to using the auto member function in IPA? >>>>>>>> I've tried to set it up so if a server is enrolled by a user called >>>>>>>> "build" then it should add it to a specific server group. I put in >>>>>>>> an inclusive rule and the expression is just "build", but it doesn't >>>>>>>> work. Do I need to specify more than just build in the expression >>>>>>>> area? >>>>>>>> >>>>>>>> >>>>>>>> That -should- be enough to catch new hosts that are built by the >>>>>>>> 'build' user. >>>>>>>> >>>>>>>> Can you verify that the Attribute you are matching on is: "enrolledby" >>>>>>>> ? >>>>>>>> >>>>>>>> >>>>>>>> "Keeping your head in the cloud" >>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>>>> Jr Aquino | Sr. Information Security Specialist >>>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>>>>> GCIH | GIAC Certified Incident Handler >>>>>>>> GWAPT | GIAC WebApp Penetration Tester >>>>>>>> >>>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA >>>>>>>> 93117<x-apple-data-detectors://0/0> >>>>>>>> T: +1 805.690.3478<tel:+1%C2%A0805.690.3478> >>>>>>>> C: +1 805.717.0365<tel:+1%20805.717.0365> >>>>>>>> [email protected]<mailto:[email protected]> >>>>>>>> http://www.citrixonline.com<http://www.citrixonline.com/> >>>>>>>> >>>>>>>> "Keeping your head in the cloud" >>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>>>> Jr Aquino | Sr. Information Security Specialist >>>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>>>>> GCIH | GIAC Certified Incident Handler >>>>>>>> GWAPT | GIAC WebApp Penetration Tester >>>>>>>> >>>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA >>>>>>>> 93117<x-apple-data-detectors://0/0> >>>>>>>> T: +1 805.690.3478<tel:+1%C2%A0805.690.3478> >>>>>>>> C: +1 805.717.0365<tel:+1%20805.717.0365> >>>>>>>> [email protected]<mailto:[email protected]> >>>>>>>> http://www.citrixonline.com<http://www.citrixonline.com/> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Thanks, >>>>>>>> _____________________________________________________ >>>>>>>> John Moyer >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Freeipa-users mailing list >>>>>>>> [email protected]<mailto:[email protected]> >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
