Thanks a lot Flo. ________________________________ From: Florence Blanc-Renaud <[email protected]> Sent: 20 May 2022 13:12 To: FreeIPA users list <[email protected]> Cc: Angus Clarke <[email protected]> Subject: Re: [Freeipa-users] hostgroup automember rules
Hi, On Fri, May 20, 2022 at 11:48 AM Angus Clarke via FreeIPA-users <[email protected]<mailto:[email protected]>> wrote: Hello FreeIPA 4.6.8 We are very happy with hostgroup automember rules based on servername attribute however one of our internal customers uses a generic servername template for all of their servers regardless of its function. So I'm wondering what other attributes I might use for hostgroup automember - perhaps some of the attributes can be configured by the ipa-client-install (the host's "description" field perhaps) although I don't see such mention in the man page ... Presumably they could use a different enrollment user ("enrolledby") for each of their hostgroup functions (not ideal.) There are various attribute fields in the WebUI but I don't find much documentation for them. What is the "|" field - perhaps I can exploit this somehow? The automember group functionality is described in this chapter: Automating group membership using IdM CLI<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fdocumentation%2Fen-us%2Fred_hat_enterprise_linux%2F8%2Fhtml%2Fmanaging_idm_users_groups_hosts_and_access_control_rules%2Fautomating-group-membership-using-idm-cli_managing-users-groups-hosts%23doc-wrapper&data=05%7C01%7C%7Cb6d74a98ce3c4a191ed808da3a51b223%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637886419797093673%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zntaNdlnuy4BoZggjoR6DUyxUIVnvgb8Sn0kUA2AStE%3D&reserved=0>. You can define a new hostgroup with an automember rule based on any attribute defined in the schema. Just be aware that the conditions are defined using Perl-compatible regular expressions (PCRE) format. The 'l' attribute is an alias for 'locality' or 'localityname' and can contain any string. For any attribute you can find its description in the LDAP schema. The host entries have multiple object classes. For instance if you run ipa host-show server.ipa.test --all --raw you can see all its objectclasses: objectClass: top objectClass: ipaobject objectClass: nshost objectClass: ipahost objectClass: ipaservice objectClass: pkiuser objectClass: krbprincipalaux objectClass: krbprincipal objectClass: krbticketpolicyaux objectClass: ipasshhost objectClass: ipaSshGroupOfPubKeys Each object class defines the mandatory/optional attributes that the entry can contain. For instance in order to find the attributes for the nshost objectclass: ldapsearch -LLL -o ldif-wrap=no -b cn=schema -s base objectclasses | grep -i nshost objectclasses: ( nsHost-oid NAME 'nsHost' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MUST cn MAY ( serverHostName $ description $ l $ nsHostLocation $ nsHardwarePlatform $ nsOsVersion ) X-ORIGIN 'Netscape' ) The nshost objectclass allows the presence of serverhostname, description, l etc... Now to find what description can contain: ldapsearch -LLL -o ldif-wrap=no -b cn=schema -s base attributetypes | grep -i description attributetypes: ( 2.5.4.13 NAME 'description' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 4519' ) The SYNTAX part defines the type of data (the RFC 4517<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc4517%23section-3.3.6&data=05%7C01%7C%7Cb6d74a98ce3c4a191ed808da3a51b223%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637886419797093673%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vGaicO1JVQIr5rueD8%2FcndBgf8lvUyblmnz8Nba2qCU%3D&reserved=0> defines 1.3.6.1.4.1.1466.115.121.1.15 as a DirectoryString). With this knowledge, you can pick an attribute where you want to store information that can be used to group the hosts together, and create the matching rule using this attribute. If you are curious about LDAP schema in general, you can read the RFC 4519<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Frfc%2Frfc4519.txt&data=05%7C01%7C%7Cb6d74a98ce3c4a191ed808da3a51b223%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637886419797093673%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6JOgDQgg1b6n209BSheguhWB7r5WXYgAUaAxNMlfRTk%3D&reserved=0>. HTH, flo Any advice gladly received. Thanks a lot Angus _______________________________________________ FreeIPA-users mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=05%7C01%7C%7Cb6d74a98ce3c4a191ed808da3a51b223%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637886419797093673%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=19%2F5qvc6TANkgg66NTKjstHJgBheM7H64NgBGKxXaWE%3D&reserved=0> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=05%7C01%7C%7Cb6d74a98ce3c4a191ed808da3a51b223%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637886419797093673%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=H%2BjgKyY%2Fua7UI09oK%2BWcDgmggcoIs1erkGGhpw6FjAA%3D&reserved=0> List Archives: https://lists.fedorahosted.org/archives/list/[email protected]<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.org&data=05%7C01%7C%7Cb6d74a98ce3c4a191ed808da3a51b223%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637886419797093673%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=x7KpwRXU3i6N0UX8D2Z%2BFvTZwRrAU4KDjCra994m%2Fn0%3D&reserved=0> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure&data=05%7C01%7C%7Cb6d74a98ce3c4a191ed808da3a51b223%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637886419797093673%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=MhFwSkkL0ERA2OyT%2FieKOSkPFiLaUU%2Bp0oFAkEp71Ng%3D&reserved=0>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
