Re: [Freeipa-users] memberof plugin?
On 08/01/2014 12:40 AM, Kat wrote: > Hi, > > I must be missing something obvious in getting memberof plugin to work.. Any > ideas? > > Thanks in advance... > ~K > > -- > > ./fixup-memberof.pl -D 'cn=Directory Manager' -b 'dc=red,dc=lemon,dc=com' -w > - -v > ldap_initialize( ldap://localhost:7389 ) > add objectclass: > top > extensibleObject > add cn: > memberOf_fixup_2014_7_26_22_33_31 > add basedn: > dc=red,dc=lemon,dc=com > adding new entry "cn=memberOf_fixup_2014_7_26_22_33_31, cn=memberOf task, > cn=tasks, cn=config" > ldap_add: No such object (32) > Are you using FreeIPA or just standalone 389-ds-base instance? Does the memberOf task object exist? $ ldapsearch -x -D "cn=Directory Manager" -w Secret123 -b "cn=memberOf task, cn=tasks, cn=config" Is the MemberOf plugin enabled? (cn=MemberOf Plugin,cn=plugins,cn=config) Are there any /var/log/dirsrv/slapd-YOUR-REALM/errors? HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] memberOf
Tamas Papp wrote: On 10/07/2013 08:59 PM, Dmitri Pal wrote: On 10/07/2013 12:32 PM, Tamas Papp wrote: On 10/07/2013 06:06 PM, Tamas Papp wrote: hi All, I have a fedora directory server with memberOf attributes. I'm able to migrate users to Freeipa, but I can see there are no such attributes at the new place. If I understand correctly, a memberOf plugin should be enabled. How can I do that? I wasn't correct here. This works: # ldapsearch -Y GSSAPI 2>/dev/null |grep memberOf|wc -l 2424 This not: # ldapsearch -x 2>/dev/null |grep memberOf|wc -l 0 I miss something, but I don't know, what. I'm not really an ldap or IPA expert, please give me some advise:) With anonymous bind you do not see any data. With GSSAPI you authenticate and thus entitled to see what you are looking for. I see, that's true. Although I don't understand why memberOf not works if every other information available? ldapsearch -x uid=user and ldapsearch -x cn=group works fine. Therefore all information is available, just not showed up right. Am I wrong? memberOf can contain some privileged information that you don't want to expose to anonymous users, like sudo and HBAC rule membership. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] memberOf
On 10/07/2013 08:59 PM, Dmitri Pal wrote: > On 10/07/2013 12:32 PM, Tamas Papp wrote: >> On 10/07/2013 06:06 PM, Tamas Papp wrote: >>> hi All, >>> >>> I have a fedora directory server with memberOf attributes. >>> I'm able to migrate users to Freeipa, but I can see there are no such >>> attributes at the new place. >>> If I understand correctly, a memberOf plugin should be enabled. How can >>> I do that? >> I wasn't correct here. >> >> This works: >> # ldapsearch -Y GSSAPI 2>/dev/null |grep memberOf|wc -l >> 2424 >> >> >> This not: >> # ldapsearch -x 2>/dev/null |grep memberOf|wc -l >> 0 >> >> >> I miss something, but I don't know, what. I'm not really an ldap or IPA >> expert, please give me some advise:) > With anonymous bind you do not see any data. With GSSAPI you > authenticate and thus entitled to see what you are looking for. > I see, that's true. Although I don't understand why memberOf not works if every other information available? ldapsearch -x uid=user and ldapsearch -x cn=group works fine. Therefore all information is available, just not showed up right. Am I wrong? Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] memberOf
On 10/07/2013 12:32 PM, Tamas Papp wrote: > On 10/07/2013 06:06 PM, Tamas Papp wrote: >> hi All, >> >> I have a fedora directory server with memberOf attributes. >> I'm able to migrate users to Freeipa, but I can see there are no such >> attributes at the new place. >> If I understand correctly, a memberOf plugin should be enabled. How can >> I do that? > I wasn't correct here. > > This works: > # ldapsearch -Y GSSAPI 2>/dev/null |grep memberOf|wc -l > 2424 > > > This not: > # ldapsearch -x 2>/dev/null |grep memberOf|wc -l > 0 > > > I miss something, but I don't know, what. I'm not really an ldap or IPA > expert, please give me some advise:) With anonymous bind you do not see any data. With GSSAPI you authenticate and thus entitled to see what you are looking for. > > Thanks, > tamas > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] memberOf
On 10/07/2013 06:06 PM, Tamas Papp wrote: > hi All, > > I have a fedora directory server with memberOf attributes. > I'm able to migrate users to Freeipa, but I can see there are no such > attributes at the new place. > If I understand correctly, a memberOf plugin should be enabled. How can > I do that? I wasn't correct here. This works: # ldapsearch -Y GSSAPI 2>/dev/null |grep memberOf|wc -l 2424 This not: # ldapsearch -x 2>/dev/null |grep memberOf|wc -l 0 I miss something, but I don't know, what. I'm not really an ldap or IPA expert, please give me some advise:) Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] memberOf
On 10/07/2013 12:06 PM, Tamas Papp wrote: > hi All, > > I have a fedora directory server with memberOf attributes. > I'm able to migrate users to Freeipa, but I can see there are no such > attributes at the new place. > If I understand correctly, a memberOf plugin should be enabled. How can > I do that? > > Thanks, > tamas > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Are you using ipa migrate-ds command? Were your groups migrated? If there are no groups then the membership will not be migrated. Memeberof is enabled by default so there might be something wrong with how the migration happened. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin and LDAP filter
James James wrote: Oups in the first message I should write : I want to have the email of the emails of all the person belonging to a group. and not I want to have the email of the emails of all the person belongingS to a group. :0) I'd pick a user you know is in the group and start there: ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' uid=someuser memberof Confirm that there is a memberof for that user. This is all pre-configured, there shouldn't be the need to do anything. rob 2012/9/18 James James mailto:jre...@gmail.com>> Thanks for your answer. In my group I have to users but when I use this command : $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' '(memberOf=cn=mygroup,cn=groups,cn=accounts,dc=example,dc=com)' mail the result is: # search result search: 2 result: 0 Success How can I check my memberOf plugin ? 2012/9/18 Rob Crittenden mailto:rcrit...@redhat.com>> James James wrote: Hi everybody, can somebody help me with the memberof plugin ? Is there a way to add the memberof attribute like it was in 389-ds ? For my mailing list program, I want to have the email of the emails of all the person belongings to a group. Is there a filter to do that ? To find all e-mail address of users in group "mygroup" use: $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=__example,dc=com' '(memberOf=cn=mygroup,cn=__groups,cn=accounts,dc=example,__dc=com)' mail This will include nested users who are in groups that are members of mygroup. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin and LDAP filter
Oups in the first message I should write : I want to have the email of the emails of all the person belonging to a group. and not I want to have the email of the emails of all the person belongingS to a group. :0) 2012/9/18 James James > Thanks for your answer. > In my group I have to users but when I use this command : > > > $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' > '(memberOf=cn=mygroup,cn=groups,cn=accounts,dc=example,dc=com)' mail > > the result is: > > # search result > search: 2 > result: 0 Success > > How can I check my memberOf plugin ? > > > > 2012/9/18 Rob Crittenden > >> James James wrote: >> >>> Hi everybody, >>> >>> can somebody help me with the memberof plugin ? Is there a way to add >>> the memberof attribute like it was in 389-ds ? >>> For my mailing list program, I want to have the email of the emails of >>> all the person belongings to a group. Is there a filter to do that ? >>> >> >> To find all e-mail address of users in group "mygroup" use: >> >> $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=**example,dc=com' >> '(memberOf=cn=mygroup,cn=**groups,cn=accounts,dc=example,**dc=com)' mail >> >> This will include nested users who are in groups that are members of >> mygroup. >> >> rob >> > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin and LDAP filter
Thanks for your answer. In my group I have to users but when I use this command : $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' '(memberOf=cn=mygroup,cn=groups,cn=accounts,dc=example,dc=com)' mail the result is: # search result search: 2 result: 0 Success How can I check my memberOf plugin ? 2012/9/18 Rob Crittenden > James James wrote: > >> Hi everybody, >> >> can somebody help me with the memberof plugin ? Is there a way to add >> the memberof attribute like it was in 389-ds ? >> For my mailing list program, I want to have the email of the emails of >> all the person belongings to a group. Is there a filter to do that ? >> > > To find all e-mail address of users in group "mygroup" use: > > $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=**example,dc=com' > '(memberOf=cn=mygroup,cn=**groups,cn=accounts,dc=example,**dc=com)' mail > > This will include nested users who are in groups that are members of > mygroup. > > rob > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin and LDAP filter
James James wrote: Hi everybody, can somebody help me with the memberof plugin ? Is there a way to add the memberof attribute like it was in 389-ds ? For my mailing list program, I want to have the email of the emails of all the person belongings to a group. Is there a filter to do that ? To find all e-mail address of users in group "mygroup" use: $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' '(memberOf=cn=mygroup,cn=groups,cn=accounts,dc=example,dc=com)' mail This will include nested users who are in groups that are members of mygroup. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin and LDAP filter
On 09/18/2012 02:27 PM, James James wrote: Hi everybody, can somebody help me with the memberof plugin ? Is there a way to add the memberof attribute like it was in 389-ds ? For my mailing list program, I want to have the email of the emails of all the person belongings to a group. Is there a filter to do that ? Thanks. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Hi, This works for me: ldapsearch -Y GSSAPI memberof=cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com mail Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin keeps disabling account
James Roman wrote: Just for posterity. The issue ended up being that the AD and FreeIPA were out of sync. One of the sub-containers in the Active Directory containing disabled accounts was moved outside of the scope of the sync agreement. We never ran a replica init, so a number of scheduled syncs were pending. Glad you figured it out. Thanks for closing the loop :-) cheers rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin keeps disabling account
Just for posterity. The issue ended up being that the AD and FreeIPA were out of sync. One of the sub-containers in the Active Directory containing disabled accounts was moved outside of the scope of the sync agreement. We never ran a replica init, so a number of scheduled syncs were pending. On 03/17/2010 04:00 PM, James Roman wrote: The memberof plugin does not change group memberships it only updates the memberof attribute to keep it in sync with the member ones. Simo. I made a mistake interpreting the audit log initially. I realized after I created the subject that the MemberOf changes reflect the changes being made in the background to the individual record to populate the memberOf attributes for the change I initiated. Since the audit records don't actually say what the MemberOf plugins are changing in the record (they only report updating the modifiersname), I thought it was actually what was changing the group membership back. Something else was changing the group membership back (or rolling back the initial change), but it is not being recorded in the audit logs. I still can't get my head around why the audit log reports both plugins making changes to the record, even though the 389 MemberOf plugin is disabled. time: 20100317111527 dn: uid=afflicted.user,cn=users,cn=accounts,dc=domain,dc=com changetype: modify replace: modifiersName modifiersName: cn=ipa-memberof,cn=plugins,cn=config - replace: modifyTimestamp modifyTimestamp: 20100317151502Z - time: 20100317111529 dn: uid=afflicted.user,cn=users,cn=accounts,dc=domain,dc=com changetype: modify replace: modifiersName modifiersName: cn=MemberOf Plugin,cn=plugins,cn=config ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin keeps disabling account
The memberof plugin does not change group memberships it only updates the memberof attribute to keep it in sync with the member ones. Simo. I made a mistake interpreting the audit log initially. I realized after I created the subject that the MemberOf changes reflect the changes being made in the background to the individual record to populate the memberOf attributes for the change I initiated. Since the audit records don't actually say what the MemberOf plugins are changing in the record (they only report updating the modifiersname), I thought it was actually what was changing the group membership back. Something else was changing the group membership back (or rolling back the initial change), but it is not being recorded in the audit logs. I still can't get my head around why the audit log reports both plugins making changes to the record, even though the 389 MemberOf plugin is disabled. time: 20100317111527 dn: uid=afflicted.user,cn=users,cn=accounts,dc=domain,dc=com changetype: modify replace: modifiersName modifiersName: cn=ipa-memberof,cn=plugins,cn=config - replace: modifyTimestamp modifyTimestamp: 20100317151502Z - time: 20100317111529 dn: uid=afflicted.user,cn=users,cn=accounts,dc=domain,dc=com changetype: modify replace: modifiersName modifiersName: cn=MemberOf Plugin,cn=plugins,cn=config ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin keeps disabling account
On Wed, 17 Mar 2010 15:24:18 -0400 James Roman wrote: > > > To actually disable the plugin you need a restart after you change > > the config, but please *do not* do that unless you want trouble :) > > > > The memberof plugin does not change group memberships it only > > updates the memberof attribute to keep it in sync with the member > > ones. > > > > Simo. > > > > > Just to clarify, we never disabled the 389 MemberOf plugin. My > original ldif dump after the upgrade to 1.2.5 had the 389 DS memberOf > plugin disabled. So it never was enabled. This probably meant little > to us from a functional standpoint because we already had the FreeIPA > ipa_memberof plugin installed and enabled. > > Do I need both of them enabled? Or will that cause additional misery? > Of the two, ipa-memberof and 389's memberOf plugin, which should I > enable? > Oh sorry, no I misunderstood. You can't have both enabled they would interfere, only one or the other. The 389 memberof plugin is probably better now, as we merge all the code we developed for ipa in there. But unless you have specific problems you can just leave it as it is. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin keeps disabling account
To actually disable the plugin you need a restart after you change the config, but please *do not* do that unless you want trouble :) The memberof plugin does not change group memberships it only updates the memberof attribute to keep it in sync with the member ones. Simo. Just to clarify, we never disabled the 389 MemberOf plugin. My original ldif dump after the upgrade to 1.2.5 had the 389 DS memberOf plugin disabled. So it never was enabled. This probably meant little to us from a functional standpoint because we already had the FreeIPA ipa_memberof plugin installed and enabled. Do I need both of them enabled? Or will that cause additional misery? Of the two, ipa-memberof and 389's memberOf plugin, which should I enable? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin keeps disabling account
On Wed, 17 Mar 2010 14:01:47 -0400 James Roman wrote: > > > Well, the current 389 memberOf is a bit more advanced than the > > ipa-memberOf. We did the initial development of the plugin, then it > > got moved into mainline 389-ds. The ipa plugin should work fine > > though, I don't know of any reason to switch. > > > > rob > Any idea why both are being executed? Even when the MemberOf Plugin > is disabled? > > # ipa-memberof, plugins, config > dn: cn=ipa-memberof,cn=plugins,cn=config > .. > nsslapd-pluginEnabled: on > > > # MemberOf Plugin, plugins, config > dn: cn=MemberOf Plugin,cn=plugins,cn=config > .. > nsslapd-pluginEnabled: off > > Is it possible that the DS upgrade steps on the ipa-memberof > libraries in some way, causing both to be executed? I would imagine > that having two plugins making the same update to the directory could > be problematic. Maybe its the way the audit logging is occurring. To actually disable the plugin you need a restart after you change the config, but please *do not* do that unless you want trouble :) The memberof plugin does not change group memberships it only updates the memberof attribute to keep it in sync with the member ones. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin keeps disabling account
Well, the current 389 memberOf is a bit more advanced than the ipa-memberOf. We did the initial development of the plugin, then it got moved into mainline 389-ds. The ipa plugin should work fine though, I don't know of any reason to switch. rob Any idea why both are being executed? Even when the MemberOf Plugin is disabled? # ipa-memberof, plugins, config dn: cn=ipa-memberof,cn=plugins,cn=config .. nsslapd-pluginEnabled: on # MemberOf Plugin, plugins, config dn: cn=MemberOf Plugin,cn=plugins,cn=config .. nsslapd-pluginEnabled: off Is it possible that the DS upgrade steps on the ipa-memberof libraries in some way, causing both to be executed? I would imagine that having two plugins making the same update to the directory could be problematic. Maybe its the way the audit logging is occurring. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin keeps disabling account
OK. I Think I've got this licked. I had to manually activate the account on both the Active Directory and the FreeIPA server. I think what was happening was this: 1. Admin activates the account on IPA server (moves cn=inactivated to cn-activated) 2. IPA server schedules windows sync 3. IPA server reads windows status disabled 4. IPA disables FreeIPA account 5. IPA server updates AD account to enable 6. IPA server schedules 2nd windows sync 7. IPA server updates AD account to disable I don't know why this account is encountering this issue. It just started flipping disabled at about 2:00 am today. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] MemberOf plugin keeps disabling account
James Roman wrote: I have a single account that keeps getting disabled by the memberOf Plugin, even though it is disabled. [ SNIP ] Am I missing something? What do I need to do to get the MemeberOf plugin from stepping on our changes? We have FreeIPA 1.2.2 and 389-DS 1.2.5 on FC11. I don't think you want to disable memberof, it will probably break other stuff. I'm guessing you did this to see what would happen. Did you restart the DS after disabling it? I believe that is required. How are you unlocking the user, using the ipa-lockuser tool? I should note that a user doesn't need to be in cn=activated to be unlocked, they just need to not be in cn=inactivated. The cn=activated is there so you can disable a group (which will in turn inactivate all members of that group) and then go back and set some group members to be re-activated. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users