[Freeipa-users] LDAP search for email address of user in a particular group
Rich Megginson
rmeggins at redhat.com
Fri Nov 4 23:38:06 UTC 2011
On 11/04/2011 05:12 PM, Dan Scott wrote:
> On Fri, Nov 4, 2011 at 19:07, Rich Megginson<rmeggins at redhat.com> wrote:
>> On 11/04/2011 04:51 PM, Dan Scott wrote:
>>> Hi,
>>>
>>> On Fri, Nov 4, 2011 at 18:13, Rob Crittenden<rcritten at redhat.com> wrote:
>>>> Dan Scott wrote:
>>>>> Hi,
>>>>>
>>>>> On Fri, Nov 4, 2011 at 17:38, Stephen Ingram<sbingram at gmail.com>
>>>>> wrote:
>>>>>> On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott<danieljamesscott at gmail.com>
>>>>>> wrote:
>>>>>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
>>>>>>>
>>>>>>>
>>>>>>> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
>>>>>>> -x
>>>>>>>
>>>>>>> In version 2, it looks like the memberOf attributes have been removed
>>>>>>> from the user entries and the user group membership information is
>>>>>>> stored only in the 'member' attribute of the individual group entries.
>>>>>>>
>>>>>>> Can someone help me modify the above command so that I can find users,
>>>>>>> using their email address, who are also members of a particular group?
>>>>>>> Preferably using one command.
>>>>>> Dan-
>>>>>>
>>>>>> It looks like you are missing the cn=accounts in your filter:
>>>>>>
>>>>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
>>>>>>
>>>>>>
>>>>>> "(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)"
>>>>>> -x ...
>>>>> Thanks for spotting that, it was an error from when I was removing my
>>>>> domain information.
>>>>>
>>>>> However, the problem remains that the memberOf attributes don't exist
>>>>> in FreeIPA V2, so I need to figure out another way to do the search.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Dan
>>>> memberof should exist. memberof should be calculated on the fly from the
>>>> member information. I'm not sure why you aren't seeing it.
>>>>
>>>> You can try this, substituting for your domain:
>>>>
>>>> # /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D 'cn=directory
>>>> manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v
>>>>
>>>> This should rebuild the memberof values.
>>> Thanks for the tip, but it doesn't seem to be working. I run the
>>> command and get a response. It says:
>>>
>>> adding new entry "cn=memberOf_fixup_2011_11_4_18_46_11, cn=memberOf
>>> task, cn=tasks, cn=config"
>>> modify complete
>>>
>>> But the memberOf attributes don't appear (on either server - I have 2
>>> servers replicating).
>>>
>>> There are a couple of suspicious errors in the dirsrv log file:
>>>
>>> [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
>>> entries set up under cn=ng, cn=compat, dc=example,dc=com
>>> [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
>>> entries set up under ou=SUDOers, dc=example,dc=com
>>> [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
>>> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
>>> should be added before the CoS Definition.
>>> [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
>>> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
>>> should be added before the CoS Definition.
>>>
>>> The other server contains similar lines and also shows some errors
>>> when I rebooted the first server. But eventually it shows:
>>>
>>> Replication bind with GSSAPI auth resumed
>>>
>>> So I guess it's all OK?
>> I don't see any problems there.
>>
>> Do you have objectclass: inetUser in your user entries?
> Yep. That attribute exists for all of the users that I checked.
Find a user that should exist in a group e.g. uid=dscott,...the rest of
the dn...
do a search for the group that should contain that user e.g.
ldapsearch -x dc=example,dc=com '(member=uid=dscott,...the rest of the
dn...)'
Does it return the group entry?
> Dan
More information about the Freeipa-users
mailing list