subject:"\[Freeipa\-users\] Re\: LDAP Group Membership puzzle"

[Freeipa-users] Re: LDAP Group Membership puzzle

2018-11-27 Thread Rob Crittenden via FreeIPA-users

Peter Tselios via FreeIPA-users wrote:
> I don't see any option to change the search schema. 
> Is there any way to get a similar result with the the RFC2307bis schema? 
> Like, using a more complex filter? 

You would use member instead which requires a full DN:

ldapsearch -x -W -D
"uid=nonipaapps,cn=sysaccounts,cn=etc,dc=example,dc=com" -b
"cn=groups,cn=accounts,dc=example,dc=com"
"(&(objectClass=groupOfNames)(member=uid=ptselios,cn=users,cn=accounts,dc=example,dc=com))"
-h localhost -p 389 -s sub

Note that this may very well return multiple results.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: LDAP Group Membership puzzle

2018-11-27 Thread Alexander Bokovoy via FreeIPA-users


On ti, 27 marras 2018, Peter Tselios via FreeIPA-users wrote:

I don't see any option to change the search schema.
Is there any way to get a similar result with the the RFC2307bis schema? Like, 
using a more complex filter?

No.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: LDAP Group Membership puzzle

2018-11-27 Thread Peter Tselios via FreeIPA-users

I don't see any option to change the search schema. 
Is there any way to get a similar result with the the RFC2307bis schema? Like, 
using a more complex filter? 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: LDAP Group Membership puzzle

2018-11-27 Thread Alexander Bokovoy via FreeIPA-users


On ti, 27 marras 2018, Peter Tselios via FreeIPA-users wrote:

Hello,
I have an non-IPA aware application to succssfuly login users from IPA's LDAP.
However, I cannot make it work with group membership. It seems that the LDAP 
filter is not working and using LDAP search proves that the app is not wrong.

So, what I have:
myself (ptselios) member of the group grafana-adms.

The group is stored as:
ldapsearch -x -W -D "uid=nonipaapps,cn=sysaccounts,cn=etc,dc=example,dc=com" -b 
"cn=groups,cn=accounts,dc=example,dc=com" 
"(&(objectClass=groupOfNames)(cn=grafana-adms))" -h localhost -p 389 -s sub

dn: cn=grafana-adms,cn=groups,cn=accounts,dc=example,dc=com
member: uid=ptselios,cn=users,cn=accounts,dc=example,dc=com
member: uid=anotheruser,cn=users,cn=accounts,dc=example,dc=com
ipaNTSecurityIdentifier: S-1-5-21-120251393-583861438-3385547448-1050
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
cn: grafana-adms
description:: blabla
ipaUniqueID: ccc54368-ce1d-11e8-b523-06db1b82a33a
gidNumber: 690200050

Now, when I search with the memberuid I get an empty response:
ldapsearch -x -W -D "uid=nonipaapps,cn=sysaccounts,cn=etc,dc=example,dc=com" -b 
"cn=groups,cn=accounts,dc=example,dc=com" 
"(&(objectClass=groupOfNames)(memberuid=ptselios))" -h localhost -p 389 -s sub

# search result
search: 2
result: 0 Success

# numResponses: 1

Obviously, the filter is wrong, but what is the correct one?

memberUid is an attribute from RFC2307. Primary tree in FreeIPA is
supporting RFC2307bis schema where there is no memberuid attribute but
rather member attribute is in use. The difference is that 'member'
attribute is a full DN of a member object while memberuid is just a user
name.

memberuid attribute is provided in the compat subtree.

Are you able to modify your application to use RFC2307bis schema?

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: LDAP Group Membership puzzle

[Freeipa-users] Re: LDAP Group Membership puzzle

[Freeipa-users] Re: LDAP Group Membership puzzle

[Freeipa-users] Re: LDAP Group Membership puzzle

4 matches

Site Navigation

Mail list logo

Footer information