[Freeipa-users] automember issues
Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
Yep, enrolledby is what I'm using, but I have been adding them manually since it hasn't been working. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
On 04/30/2013 10:48 AM, JR Aquino wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. This is correct. The user doesn't matter, as the operation that deals with the group membership is done internally by the AutoMember plug-in. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.com wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com Number of entries returned 1 Thanks, _ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.com wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___
Re: [Freeipa-users] automember issues
On Apr 30, 2013, at 11:12 AM, John Moyer john.mo...@digitalreasoning.com wrote: I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com Number of entries returned 1 Interesting. What about if you just do something silly like: .*build.* Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? Thanks, _ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.com wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1
Re: [Freeipa-users] automember issues
On Apr 30, 2013, at 11:23 AM, John Moyer john.mo...@digitalreasoning.com wrote: Ha! I tried .*build and build.* before contacting you guys, I didn't try .*build.* That worked, it automatically added the machine to the group! Thanks! That will save me s much time! Not a problem John, thanks for your patience! Glad to be of help! I'm very happy to see that some of the stuff that I use daily saves other folks time and headaches too! -JR Thanks, _ John Moyer On Apr 30, 2013, at 2:17 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 11:12 AM, John Moyer john.mo...@digitalreasoning.com wrote: I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com Number of entries returned 1 Interesting. What about if you just do something silly like: .*build.* Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? Thanks, _ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.com wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister
Re: [Freeipa-users] automember issues
On 04/30/2013 02:17 PM, JR Aquino wrote: On Apr 30, 2013, at 11:12 AM, John Moyer john.mo...@digitalreasoning.com wrote: I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com Number of entries returned 1 Interesting. What about if you just do something silly like: .*build.* Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? Don't you need to specify target group? It might be that the filter is working but it is not placing it anywhere because nothing is specifying where to place it. Thanks, _ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.com wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler
Re: [Freeipa-users] automember issues
So I must have looked at the wrong server name, I just tried to add 4 more servers and none of them worked. Anymore ideas? The target is specified by the rule name test-group is the target. Thanks, _ John Moyer On Apr 30, 2013, at 2:25 PM, Dmitri Pal d...@redhat.com wrote: On 04/30/2013 02:17 PM, JR Aquino wrote: On Apr 30, 2013, at 11:12 AM, John Moyer john.mo...@digitalreasoning.com wrote: I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com Number of entries returned 1 Interesting. What about if you just do something silly like: .*build.* Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? Don't you need to specify target group? It might be that the filter is working but it is not placing it anywhere because nothing is specifying where to place it. Thanks, _ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.com wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1
Re: [Freeipa-users] automember issues
I've got about 30mins before I get into my next meeting. Are you able to hop into IRC in Freenode to work in realtime on #freeipa? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ On Apr 30, 2013, at 12:23 PM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: So I must have looked at the wrong server name, I just tried to add 4 more servers and none of them worked. Anymore ideas? The target is specified by the rule name test-group is the target. Thanks, _ John Moyer On Apr 30, 2013, at 2:25 PM, Dmitri Pal d...@redhat.commailto:d...@redhat.com wrote: On 04/30/2013 02:17 PM, JR Aquino wrote: On Apr 30, 2013, at 11:12 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com Number of entries returned 1 Interesting. What about if you just do something silly like: .*build.* Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? Don't you need to specify target group? It might be that the filter is working but it is not placing it anywhere because nothing is specifying where to place it. Thanks, _ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino jr.aqu...@citrix.commailto:jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.commailto:jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.comhttp://test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.commailto:jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.commailto:jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer