I've got about 30mins before I get into my next meeting. Are you able to hop into IRC in Freenode to work in realtime on #freeipa?
"Keeping your head in the cloud" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117<x-apple-data-detectors://0/0> T: +1 805.690.3478<tel:+1%C2%A0805.690.3478> C: +1 805.717.0365<tel:+1%20805.717.0365> [email protected]<mailto:[email protected]> http://www.citrixonline.com<http://www.citrixonline.com/> On Apr 30, 2013, at 12:23 PM, John Moyer <[email protected]<mailto:[email protected]>> wrote: So I must have looked at the wrong server name, I just tried to add 4 more servers and none of them worked. Anymore ideas? The target is specified by the rule name test-group is the target. Thanks, _____________________________________________________ John Moyer On Apr 30, 2013, at 2:25 PM, Dmitri Pal <[email protected]<mailto:[email protected]>> wrote: On 04/30/2013 02:17 PM, JR Aquino wrote: On Apr 30, 2013, at 11:12 AM, John Moyer <[email protected]<mailto:[email protected]>> wrote: I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --------------- 1 rules matched --------------- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com ---------------------------- Number of entries returned 1 ---------------------------- Interesting. What about if you just do something silly like: ".*build.*" Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? Don't you need to specify target group? It might be that the filter is working but it is not placing it anywhere because nothing is specifying where to place it. Thanks, _____________________________________________________ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino <[email protected]<mailto:[email protected]>> wrote: On Apr 30, 2013, at 11:02 AM, John Moyer <[email protected]<mailto:[email protected]>> wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _____________________________________________________ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino <[email protected]<mailto:[email protected]>> wrote: On Apr 30, 2013, at 10:52 AM, John Moyer <[email protected]<mailto:[email protected]>> wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --------------- 1 rules matched --------------- Automember Rule: test-group Inclusive Regex: enrolledby=build ---------------------------- Number of entries returned 1 ---------------------------- interesting. When you do an: ipa host-show test-hostname.example.com<http://test-hostname.example.com> --all --raw Does it clearly show that enrolledby=build? Thanks, _____________________________________________________ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino <[email protected]<mailto:[email protected]>> wrote: On Apr 30, 2013, at 10:43 AM, John Moyer <[email protected]<mailto:[email protected]>> wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _____________________________________________________ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino <[email protected]<mailto:[email protected]>> wrote: On Apr 30, 2013, at 9:30 AM, John Moyer <[email protected]<mailto:[email protected]><mailto:[email protected]>> wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called "build" then it should add it to a specific server group. I put in an inclusive rule and the expression is just "build", but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: "enrolledby" ? "Keeping your head in the cloud" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117<x-apple-data-detectors://0/0> T: +1 805.690.3478<tel:+1%C2%A0805.690.3478> C: +1 805.717.0365<tel:+1%20805.717.0365> [email protected]<mailto:[email protected]><mailto:[email protected]> http://www.citrixonline.com<http://www.citrixonline.com/> "Keeping your head in the cloud" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117<x-apple-data-detectors://0/0> T: +1 805.690.3478<tel:+1%C2%A0805.690.3478> C: +1 805.717.0365<tel:+1%20805.717.0365> [email protected]<mailto:[email protected]> http://www.citrixonline.com<http://www.citrixonline.com/> Thanks, _____________________________________________________ John Moyer _______________________________________________ Freeipa-users mailing list [email protected]<mailto:[email protected]> https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected]<mailto:[email protected]> https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/> _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
