[Freeipa-users] LDAP search for email address of user in a particular group
Dan Scott
danieljamesscott at gmail.com
Fri Nov 4 23:12:48 UTC 2011
On Fri, Nov 4, 2011 at 19:07, Rich Megginson <rmeggins at redhat.com> wrote:
> On 11/04/2011 04:51 PM, Dan Scott wrote:
>>
>> Hi,
>>
>> On Fri, Nov 4, 2011 at 18:13, Rob Crittenden<rcritten at redhat.com> wrote:
>>>
>>> Dan Scott wrote:
>>>>
>>>> Hi,
>>>>
>>>> On Fri, Nov 4, 2011 at 17:38, Stephen Ingram<sbingram at gmail.com>
>>>> wrote:
>>>>>
>>>>> On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott<danieljamesscott at gmail.com>
>>>>> wrote:
>>>>>>
>>>>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
>>>>>>
>>>>>>
>>>>>> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
>>>>>> -x
>>>>>>
>>>>>> In version 2, it looks like the memberOf attributes have been removed
>>>>>> from the user entries and the user group membership information is
>>>>>> stored only in the 'member' attribute of the individual group entries.
>>>>>>
>>>>>> Can someone help me modify the above command so that I can find users,
>>>>>> using their email address, who are also members of a particular group?
>>>>>> Preferably using one command.
>>>>>
>>>>> Dan-
>>>>>
>>>>> It looks like you are missing the cn=accounts in your filter:
>>>>>
>>>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
>>>>>
>>>>>
>>>>> "(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)"
>>>>> -x ...
>>>>
>>>> Thanks for spotting that, it was an error from when I was removing my
>>>> domain information.
>>>>
>>>> However, the problem remains that the memberOf attributes don't exist
>>>> in FreeIPA V2, so I need to figure out another way to do the search.
>>>>
>>>> Thanks,
>>>>
>>>> Dan
>>>
>>> memberof should exist. memberof should be calculated on the fly from the
>>> member information. I'm not sure why you aren't seeing it.
>>>
>>> You can try this, substituting for your domain:
>>>
>>> # /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D 'cn=directory
>>> manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v
>>>
>>> This should rebuild the memberof values.
>>
>> Thanks for the tip, but it doesn't seem to be working. I run the
>> command and get a response. It says:
>>
>> adding new entry "cn=memberOf_fixup_2011_11_4_18_46_11, cn=memberOf
>> task, cn=tasks, cn=config"
>> modify complete
>>
>> But the memberOf attributes don't appear (on either server - I have 2
>> servers replicating).
>>
>> There are a couple of suspicious errors in the dirsrv log file:
>>
>> [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
>> entries set up under cn=ng, cn=compat, dc=example,dc=com
>> [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
>> entries set up under ou=SUDOers, dc=example,dc=com
>> [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
>> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
>> should be added before the CoS Definition.
>> [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
>> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
>> should be added before the CoS Definition.
>>
>> The other server contains similar lines and also shows some errors
>> when I rebooted the first server. But eventually it shows:
>>
>> Replication bind with GSSAPI auth resumed
>>
>> So I guess it's all OK?
>
> I don't see any problems there.
>
> Do you have objectclass: inetUser in your user entries?
Yep. That attribute exists for all of the users that I checked.
Dan
More information about the Freeipa-users
mailing list