On Fri, Nov 4, 2011 at 19:38, Rich Megginson <[email protected]> wrote: > On 11/04/2011 05:12 PM, Dan Scott wrote: >> >> On Fri, Nov 4, 2011 at 19:07, Rich Megginson<[email protected]> wrote: >>> >>> On 11/04/2011 04:51 PM, Dan Scott wrote: >>>> >>>> Hi, >>>> >>>> On Fri, Nov 4, 2011 at 18:13, Rob Crittenden<[email protected]> >>>> wrote: >>>>> >>>>> Dan Scott wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> On Fri, Nov 4, 2011 at 17:38, Stephen Ingram<[email protected]> >>>>>> wrote: >>>>>>> >>>>>>> On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott<[email protected]> >>>>>>> wrote: >>>>>>>> >>>>>>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com" >>>>>>>> -x >>>>>>>> >>>>>>>> In version 2, it looks like the memberOf attributes have been >>>>>>>> removed >>>>>>>> from the user entries and the user group membership information is >>>>>>>> stored only in the 'member' attribute of the individual group >>>>>>>> entries. >>>>>>>> >>>>>>>> Can someone help me modify the above command so that I can find >>>>>>>> users, >>>>>>>> using their email address, who are also members of a particular >>>>>>>> group? >>>>>>>> Preferably using one command. >>>>>>> >>>>>>> Dan- >>>>>>> >>>>>>> It looks like you are missing the cn=accounts in your filter: >>>>>>> >>>>>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com >>>>>>> >>>>>>> >>>>>>> >>>>>>> "(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)" >>>>>>> -x ... >>>>>> >>>>>> Thanks for spotting that, it was an error from when I was removing my >>>>>> domain information. >>>>>> >>>>>> However, the problem remains that the memberOf attributes don't exist >>>>>> in FreeIPA V2, so I need to figure out another way to do the search. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Dan >>>>> >>>>> memberof should exist. memberof should be calculated on the fly from >>>>> the >>>>> member information. I'm not sure why you aren't seeing it. >>>>> >>>>> You can try this, substituting for your domain: >>>>> >>>>> # /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D >>>>> 'cn=directory >>>>> manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v >>>>> >>>>> This should rebuild the memberof values. >>>> >>>> Thanks for the tip, but it doesn't seem to be working. I run the >>>> command and get a response. It says: >>>> >>>> adding new entry "cn=memberOf_fixup_2011_11_4_18_46_11, cn=memberOf >>>> task, cn=tasks, cn=config" >>>> modify complete >>>> >>>> But the memberOf attributes don't appear (on either server - I have 2 >>>> servers replicating). >>>> >>>> There are a couple of suspicious errors in the dirsrv log file: >>>> >>>> [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no >>>> entries set up under cn=ng, cn=compat, dc=example,dc=com >>>> [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no >>>> entries set up under ou=SUDOers, dc=example,dc=com >>>> [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password >>>> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which >>>> should be added before the CoS Definition. >>>> [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password >>>> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which >>>> should be added before the CoS Definition. >>>> >>>> The other server contains similar lines and also shows some errors >>>> when I rebooted the first server. But eventually it shows: >>>> >>>> Replication bind with GSSAPI auth resumed >>>> >>>> So I guess it's all OK? >>> >>> I don't see any problems there. >>> >>> Do you have objectclass: inetUser in your user entries? >> >> Yep. That attribute exists for all of the users that I checked. > > Find a user that should exist in a group e.g. uid=dscott,...the rest of the > dn... > do a search for the group that should contain that user e.g. > ldapsearch -x dc=example,dc=com '(member=uid=dscott,...the rest of the > dn...)' > > Does it return the group entry?
Not with the command as you specified. I need to add a '-b' before the domain. i.e. ldapsearch -x -b dc=example,dc=com '(member=uid=djscott,cn=users,cn=accounts,dc=example,dc=com)' And then it works fine and returns all my groups. Thanks, Dan _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
