I've got about 30mins before I get into my next meeting.

Are you able to hop into IRC in Freenode to work in realtime on #freeipa?

"Keeping your head in the cloud"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino | Sr. Information Security Specialist
GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
GCIH | GIAC Certified Incident Handler
GWAPT | GIAC WebApp Penetration Tester

Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117<x-apple-data-detectors://0/0>
T:  +1 805.690.3478<tel:+1%C2%A0805.690.3478>
C: +1 805.717.0365<tel:+1%20805.717.0365>
jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>

On Apr 30, 2013, at 12:23 PM, John Moyer 
<john.mo...@digitalreasoning.com<mailto:john.mo...@digitalreasoning.com>>
 wrote:

So I must have looked at the wrong server name, I just tried to add 4 more 
servers and none of them worked.   Anymore ideas?   The target is specified by 
the rule name test-group is the target.

Thanks,
_____________________________________________________
John Moyer


On Apr 30, 2013, at 2:25 PM, Dmitri Pal 
<d...@redhat.com<mailto:d...@redhat.com>> wrote:

On 04/30/2013 02:17 PM, JR Aquino wrote:
On Apr 30, 2013, at 11:12 AM, John Moyer 
<john.mo...@digitalreasoning.com<mailto:john.mo...@digitalreasoning.com>>
wrote:

I tried adding it in addition to the current rule and that didn't work.  I then 
deleted the old rule to only leave the rule with the full name 
(uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either.

This is the new output of that command you had me run earlier:

ipa automember-find --type=hostgroup
---------------
1 rules matched
---------------
Automember Rule: test-group
Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com
----------------------------
Number of entries returned 1
----------------------------

Interesting.

What about if you just do something silly like: ".*build.*"

Nathan... I believe the plugin is set to expect string values... how does it 
handle a DN such as the enrolled by above?


Don't you need to specify target group?
It might be that the filter is working but it is not placing it anywhere
because nothing is specifying where to place it.




Thanks,
_____________________________________________________
John Moyer


On Apr 30, 2013, at 2:07 PM, JR Aquino 
<jr.aqu...@citrix.com<mailto:jr.aqu...@citrix.com>> wrote:

On Apr 30, 2013, at 11:02 AM, John Moyer 
<john.mo...@digitalreasoning.com<mailto:john.mo...@digitalreasoning.com>>
wrote:

It comes back with a ton of stuff the row you are probably interested in is 
this one:

enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com
Bingo!

Ok, try to adjust your automember rule.

Delete your previous inclusive regex, and replace it with 
uid=build,cn=users,cn=accounts,dc=example,dc=com

See if that does the trick

Thanks,
_____________________________________________________
John Moyer


On Apr 30, 2013, at 1:57 PM, JR Aquino 
<jr.aqu...@citrix.com<mailto:jr.aqu...@citrix.com>> wrote:

On Apr 30, 2013, at 10:52 AM, John Moyer 
<john.mo...@digitalreasoning.com<mailto:john.mo...@digitalreasoning.com>>
wrote:

Not a problem, here is the output

ipa automember-find --type=hostgroup
---------------
1 rules matched
---------------
Automember Rule: test-group
Inclusive Regex: enrolledby=build
----------------------------
Number of entries returned 1
----------------------------

interesting.

When you do an: ipa host-show 
test-hostname.example.com<http://test-hostname.example.com> --all --raw

Does it clearly show that enrolledby=build?


Thanks,
_____________________________________________________
John Moyer


On Apr 30, 2013, at 1:48 PM, JR Aquino 
<jr.aqu...@citrix.com<mailto:jr.aqu...@citrix.com>> wrote:

On Apr 30, 2013, at 10:43 AM, John Moyer 
<john.mo...@digitalreasoning.com<mailto:john.mo...@digitalreasoning.com>>
wrote:

One thing to add is that this build user only has the following access:

Host Administrators
Host enrollment

Would he need more access to do the membership?  My original thought was that 
technically the user is not doing the addition to the group it's the system 
technically doing it so there shouldn't be a permissions issue.

The user's roles shouldn't really matter to the best of my knowledge (Nathan 
Kinder may need to refresh my memory), but the 389 plugin, should be catching 
the insertion of the new object, then match the watched-attribute, and execute 
the hostgroup assignment based upon the rights of the plugin rather than that 
of the user.

Would it be possible to ask you to do an automember-find --type=hostgroup on 
the CLI and send it back to the thread?

If we are missing something or if we have any bugs in there, we need to get 
them identified and fixed.


Thanks,
_____________________________________________________
John Moyer
On Apr 30, 2013, at 1:21 PM, JR Aquino 
<jr.aqu...@citrix.com<mailto:jr.aqu...@citrix.com>> wrote:

On Apr 30, 2013, at 9:30 AM, John Moyer 
<john.mo...@digitalreasoning.com<mailto:john.mo...@digitalreasoning.com><mailto:john.mo...@digitalreasoning.com>>
 wrote:

Anyone have any suggestions to using the auto member function in IPA?  I've 
tried to set it up so if a server is enrolled by a user called "build" then it 
should add it to a specific server group.   I put in an inclusive rule and the 
expression is just "build", but it doesn't work.  Do I need to specify more 
than just build in the expression area?


That -should- be enough to catch new hosts that are built by the 'build' user.

Can you verify that the Attribute you are matching on is: "enrolledby" ?


"Keeping your head in the cloud"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino | Sr. Information Security Specialist
GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
GCIH | GIAC Certified Incident Handler
GWAPT | GIAC WebApp Penetration Tester

Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117<x-apple-data-detectors://0/0>
T:  +1 805.690.3478<tel:+1%C2%A0805.690.3478>
C: +1 805.717.0365<tel:+1%20805.717.0365>
jr.aqu...@citrix.com<mailto:jr.aqu...@citrix.com><mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>

"Keeping your head in the cloud"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino | Sr. Information Security Specialist
GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
GCIH | GIAC Certified Incident Handler
GWAPT | GIAC WebApp Penetration Tester

Citrix Online | 7408 Hollister Avenue | Goleta, CA 
93117<x-apple-data-detectors://0/0>
T:  +1 805.690.3478<tel:+1%C2%A0805.690.3478>
C: +1 805.717.0365<tel:+1%20805.717.0365>
jr.aqu...@citrix.com<mailto:jr.aqu...@citrixonline.com>
http://www.citrixonline.com<http://www.citrixonline.com/>



Thanks,
_____________________________________________________
John Moyer


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to