Re: [Freeipa-users] Querying the dir srv
On 08/04/2016 06:43 PM, Sean Hogan wrote: > Thanks Ben.. appreciated.. will give it a go. Do you guys recommend any > specific > ldap viewer to view the internals? I was looking at apache dir studio I think > it > was... but needs java and I don't want to add java > to a server that does not have it increasing the mitigation/vulnerability > factor > of the box. > > I ran ipa host-find --all > and noticed this setting in the list > Keytab: True > > I am thinking Keytab entry = enroll true That is correct. Entrolled == true in Web UI means has_keytab in CLI which means that the host object has krbprincipalkey LDAP attribute set. > > Sean Hogan > > > > > Inactive hide details for Ben Lipton ---08/04/2016 09:08:40 AM---On > 08/04/2016 > 11:31 AM, Sean Hogan wrote: >Ben Lipton ---08/04/2016 09:08:40 AM---On > 08/04/2016 11:31 AM, Sean Hogan wrote: > > > From: Ben Lipton <blip...@redhat.com> > To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users <freeipa-users@redhat.com> > Date: 08/04/2016 09:08 AM > Subject: Re: [Freeipa-users] Querying the dir srv > > > > > > On 08/04/2016 11:31 AM, Sean Hogan wrote: > > > > Hi All, > > > > Where can I find information about the IPA schema as in what = what in > > the dir srv? I do not have a ldap viewer. > > I am looking to pull specific info from it such as a list of servers > > that have enrolled = true and have been playing with ldapsearch to no > > avail. > > > > You could try something like 'ipa -show --all ' to > see the dn of the associated LDAP object for a particular IPA entity. > This would give you a sense of what tree to ldapsearch. You could try > adding the --raw flag as well to see the LDAP attributes of the object. > > # ipa user-show --all admin >dn: uid=admin,cn=users,cn=accounts,dc=example,dc=domain > [...] > # ldapsearch -xLLL -D cn='Directory manager' -w > -b 'cn=users,cn=accounts,dc=example,dc=domain' '(objectClass=*)' '*' | > perl -p0e 's/\n //g' | less > > You can also take a look at > https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/constants.py#n78 > for a list of LDAP entities that act as containers for IPA objects > (subtrees to search under). > > Someone else may have some better ideas, but maybe this can get you started. > > Ben > > > > > > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Querying the dir srv
On 04.08.2016 18:43, Sean Hogan wrote: Thanks Ben.. appreciated.. will give it a go. Do you guys recommend any specific ldap viewer to view the internals? I was looking at apache dir studio I think it was... but needs java and I don't want to add java to a server that does not have it increasing the mitigation/vulnerability factor of the box. I ran ipa host-find --all and noticed this setting in the list Keytab: True I am thinking Keytab entry = enroll true Sean Hogan You can use also --raw option together with --all to see raw LDAP values I use apache directory studio and ldapsearch Martin Inactive hide details for Ben Lipton ---08/04/2016 09:08:40 AM---On 08/04/2016 11:31 AM, Sean Hogan wrote: >Ben Lipton ---08/04/2016 09:08:40 AM---On 08/04/2016 11:31 AM, Sean Hogan wrote: > From: Ben Lipton <blip...@redhat.com> To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users <freeipa-users@redhat.com> Date: 08/04/2016 09:08 AM Subject: Re: [Freeipa-users] Querying the dir srv On 08/04/2016 11:31 AM, Sean Hogan wrote: > > Hi All, > > Where can I find information about the IPA schema as in what = what in > the dir srv? I do not have a ldap viewer. > I am looking to pull specific info from it such as a list of servers > that have enrolled = true and have been playing with ldapsearch to no > avail. > You could try something like 'ipa -show --all ' to see the dn of the associated LDAP object for a particular IPA entity. This would give you a sense of what tree to ldapsearch. You could try adding the --raw flag as well to see the LDAP attributes of the object. # ipa user-show --all admin dn: uid=admin,cn=users,cn=accounts,dc=example,dc=domain [...] # ldapsearch -xLLL -D cn='Directory manager' -w -b 'cn=users,cn=accounts,dc=example,dc=domain' '(objectClass=*)' '*' | perl -p0e 's/\n //g' | less You can also take a look at https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/constants.py#n78 for a list of LDAP entities that act as containers for IPA objects (subtrees to search under). Someone else may have some better ideas, but maybe this can get you started. Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Querying the dir srv
Thanks Ben.. appreciated.. will give it a go. Do you guys recommend any specific ldap viewer to view the internals? I was looking at apache dir studio I think it was... but needs java and I don't want to add java to a server that does not have it increasing the mitigation/vulnerability factor of the box. I ran ipa host-find --all and noticed this setting in the list Keytab: True I am thinking Keytab entry = enroll true Sean Hogan From: Ben Lipton <blip...@redhat.com> To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users <freeipa-users@redhat.com> Date: 08/04/2016 09:08 AM Subject: Re: [Freeipa-users] Querying the dir srv On 08/04/2016 11:31 AM, Sean Hogan wrote: > > Hi All, > > Where can I find information about the IPA schema as in what = what in > the dir srv? I do not have a ldap viewer. > I am looking to pull specific info from it such as a list of servers > that have enrolled = true and have been playing with ldapsearch to no > avail. > You could try something like 'ipa -show --all ' to see the dn of the associated LDAP object for a particular IPA entity. This would give you a sense of what tree to ldapsearch. You could try adding the --raw flag as well to see the LDAP attributes of the object. # ipa user-show --all admin dn: uid=admin,cn=users,cn=accounts,dc=example,dc=domain [...] # ldapsearch -xLLL -D cn='Directory manager' -w -b 'cn=users,cn=accounts,dc=example,dc=domain' '(objectClass=*)' '*' | perl -p0e 's/\n //g' | less You can also take a look at https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/constants.py#n78 for a list of LDAP entities that act as containers for IPA objects (subtrees to search under). Someone else may have some better ideas, but maybe this can get you started. Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Querying the dir srv
On 08/04/2016 11:31 AM, Sean Hogan wrote: Hi All, Where can I find information about the IPA schema as in what = what in the dir srv? I do not have a ldap viewer. I am looking to pull specific info from it such as a list of servers that have enrolled = true and have been playing with ldapsearch to no avail. You could try something like 'ipa -show --all ' to see the dn of the associated LDAP object for a particular IPA entity. This would give you a sense of what tree to ldapsearch. You could try adding the --raw flag as well to see the LDAP attributes of the object. # ipa user-show --all admin dn: uid=admin,cn=users,cn=accounts,dc=example,dc=domain [...] # ldapsearch -xLLL -D cn='Directory manager' -w -b 'cn=users,cn=accounts,dc=example,dc=domain' '(objectClass=*)' '*' | perl -p0e 's/\n //g' | less You can also take a look at https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/constants.py#n78 for a list of LDAP entities that act as containers for IPA objects (subtrees to search under). Someone else may have some better ideas, but maybe this can get you started. Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Querying the dir srv
Hi All, Where can I find information about the IPA schema as in what = what in the dir srv? I do not have a ldap viewer. I am looking to pull specific info from it such as a list of servers that have enrolled = true and have been playing with ldapsearch to no avail. Sean Hogan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
