On Apr 30, 2013, at 11:23 AM, John Moyer <[email protected]> wrote:
> Ha! I tried .*build and build.* before contacting you guys, I didn't try > .*build.* > > That worked, it automatically added the machine to the group! > > Thanks!!!!! That will save me soooo much time! > Not a problem John, thanks for your patience! Glad to be of help! I'm very happy to see that some of the stuff that I use daily saves other folks time and headaches too! -JR > > Thanks, > _____________________________________________________ > John Moyer > > > On Apr 30, 2013, at 2:17 PM, JR Aquino <[email protected]> wrote: > >> On Apr 30, 2013, at 11:12 AM, John Moyer <[email protected]> >> wrote: >> >>> I tried adding it in addition to the current rule and that didn't work. I >>> then deleted the old rule to only leave the rule with the full name >>> (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work >>> either. >>> >>> This is the new output of that command you had me run earlier: >>> >>> ipa automember-find --type=hostgroup >>> --------------- >>> 1 rules matched >>> --------------- >>> Automember Rule: test-group >>> Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com >>> ---------------------------- >>> Number of entries returned 1 >>> ---------------------------- >>> >> >> Interesting. >> >> What about if you just do something silly like: ".*build.*" >> >> Nathan... I believe the plugin is set to expect string values... how does it >> handle a DN such as the enrolled by above? >> >>> >>> >>> Thanks, >>> _____________________________________________________ >>> John Moyer >>> >>> >>> On Apr 30, 2013, at 2:07 PM, JR Aquino <[email protected]> wrote: >>> >>>> On Apr 30, 2013, at 11:02 AM, John Moyer <[email protected]> >>>> wrote: >>>> >>>>> It comes back with a ton of stuff the row you are probably interested in >>>>> is this one: >>>>> >>>>> enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com >>>> >>>> Bingo! >>>> >>>> Ok, try to adjust your automember rule. >>>> >>>> Delete your previous inclusive regex, and replace it with >>>> uid=build,cn=users,cn=accounts,dc=example,dc=com >>>> >>>> See if that does the trick >>>> >>>>> Thanks, >>>>> _____________________________________________________ >>>>> John Moyer >>>>> >>>>> >>>>> On Apr 30, 2013, at 1:57 PM, JR Aquino <[email protected]> wrote: >>>>> >>>>>> On Apr 30, 2013, at 10:52 AM, John Moyer >>>>>> <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Not a problem, here is the output >>>>>>> >>>>>>> ipa automember-find --type=hostgroup >>>>>>> --------------- >>>>>>> 1 rules matched >>>>>>> --------------- >>>>>>> Automember Rule: test-group >>>>>>> Inclusive Regex: enrolledby=build >>>>>>> ---------------------------- >>>>>>> Number of entries returned 1 >>>>>>> ---------------------------- >>>>>>> >>>>>> >>>>>> interesting. >>>>>> >>>>>> When you do an: ipa host-show test-hostname.example.com --all --raw >>>>>> >>>>>> Does it clearly show that enrolledby=build? >>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> _____________________________________________________ >>>>>>> John Moyer >>>>>>> >>>>>>> >>>>>>> On Apr 30, 2013, at 1:48 PM, JR Aquino <[email protected]> wrote: >>>>>>> >>>>>>>> On Apr 30, 2013, at 10:43 AM, John Moyer >>>>>>>> <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> One thing to add is that this build user only has the following >>>>>>>>> access: >>>>>>>>> >>>>>>>>> Host Administrators >>>>>>>>> Host enrollment >>>>>>>>> >>>>>>>>> Would he need more access to do the membership? My original thought >>>>>>>>> was that technically the user is not doing the addition to the group >>>>>>>>> it's the system technically doing it so there shouldn't be a >>>>>>>>> permissions issue. >>>>>>>>> >>>>>>>> >>>>>>>> The user's roles shouldn't really matter to the best of my knowledge >>>>>>>> (Nathan Kinder may need to refresh my memory), but the 389 plugin, >>>>>>>> should be catching the insertion of the new object, then match the >>>>>>>> watched-attribute, and execute the hostgroup assignment based upon the >>>>>>>> rights of the plugin rather than that of the user. >>>>>>>> >>>>>>>> Would it be possible to ask you to do an automember-find >>>>>>>> --type=hostgroup on the CLI and send it back to the thread? >>>>>>>> >>>>>>>> If we are missing something or if we have any bugs in there, we need >>>>>>>> to get them identified and fixed. >>>>>>>> >>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> _____________________________________________________ >>>>>>>>> John Moyer >>>>>>>>> On Apr 30, 2013, at 1:21 PM, JR Aquino <[email protected]> wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Apr 30, 2013, at 9:30 AM, John Moyer >>>>>>>>>> <[email protected]<mailto:[email protected]>> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Anyone have any suggestions to using the auto member function in >>>>>>>>>> IPA? I've tried to set it up so if a server is enrolled by a user >>>>>>>>>> called "build" then it should add it to a specific server group. I >>>>>>>>>> put in an inclusive rule and the expression is just "build", but it >>>>>>>>>> doesn't work. Do I need to specify more than just build in the >>>>>>>>>> expression area? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> That -should- be enough to catch new hosts that are built by the >>>>>>>>>> 'build' user. >>>>>>>>>> >>>>>>>>>> Can you verify that the Attribute you are matching on is: >>>>>>>>>> "enrolledby" ? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> "Keeping your head in the cloud" >>>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>>>>>> Jr Aquino | Sr. Information Security Specialist >>>>>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>>>>>>> GCIH | GIAC Certified Incident Handler >>>>>>>>>> GWAPT | GIAC WebApp Penetration Tester >>>>>>>>>> >>>>>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA >>>>>>>>>> 93117<x-apple-data-detectors://0/0> >>>>>>>>>> T: +1 805.690.3478<tel:+1%C2%A0805.690.3478> >>>>>>>>>> C: +1 805.717.0365<tel:+1%20805.717.0365> >>>>>>>>>> [email protected]<mailto:[email protected]> >>>>>>>>>> http://www.citrixonline.com<http://www.citrixonline.com/> >>>>>>>>>> >>>>>>>>>> "Keeping your head in the cloud" >>>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>>>>>> Jr Aquino | Sr. Information Security Specialist >>>>>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>>>>>>> GCIH | GIAC Certified Incident Handler >>>>>>>>>> GWAPT | GIAC WebApp Penetration Tester >>>>>>>>>> >>>>>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA >>>>>>>>>> 93117<x-apple-data-detectors://0/0> >>>>>>>>>> T: +1 805.690.3478<tel:+1%C2%A0805.690.3478> >>>>>>>>>> C: +1 805.717.0365<tel:+1%20805.717.0365> >>>>>>>>>> [email protected]<mailto:[email protected]> >>>>>>>>>> http://www.citrixonline.com<http://www.citrixonline.com/> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> _____________________________________________________ >>>>>>>>>> John Moyer >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Freeipa-users mailing list >>>>>>>>>> [email protected]<mailto:[email protected]> >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
