<div class="gmail_quote">On Thu, May 16, 2013 at 6:48 PM, William Muriithi <<a href="mailto:william.muriithi@gmail.com" target="_blank">william.muriithi@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Afternoon, Got a question, I know FreeIPA does not allow anonymous binding so if one need to create an account to query for such information. I did this during the sudo setup. </blockquote><div>unless you have changed it yourself (or stuff has changed in the standard installation since v2.2 when I installed my ipa servers) anonymous binding is allowed. But you cannot query group membership of the users IIRC anonymously. </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I am trying to get git to use FreeIPA today and I trying to figure where the bind user should be created under. This got to be a system account, so I am not sure it should go under the normal user dn below. And even if I created it as normal user, I am not sure it would have permission to transverse the tree looking for the group user details dn: uid=william,cn=users,cn= compat,dc=example,dc=com</blockquote><div>system accounts like sudo are in cn=sysaccounts,cn=etc,dc=domain,dc=tld ; but you can create them wherever you like I think. If you create a normal ipa account with the ipa tools, you can always modify the krbPasswordExpiration attribute manually and have it expire in the year 3000 so it does not get disabled until then ;-) </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Here is the script that interacts with FreeIPA, whats the best way to get the script working with FreeIPA? <a href="http://gitolite.googlecode.com/git-history/v2.0.2/contrib/ldap/ldap-query-example.pl" target="_blank">http://gitolite.googlecode.com/git-history/v2.0.2/contrib/ldap/ldap-query-example.pl</a></blockquote><div> god, what a bad Perl script you have found :-) Shame, this stuff is what gives perl a bad rep. Without rewriting it (would take me 10 minutes), to conform to modern perl best practices, you could get going by: <pre># Bind to LDAP with proper user $ldapret = $ldap->bind( 'cn=administrator,o=company', password => '5ecretpa55w0rd' ); modify the bind with your user you just created. # Execute the actual LDAP search to get groups for the given UID $ldapret = $ldap->search( base => 'ou=users,ou=department,o=company', scope => 'subtree', filter => $filter ); modify with base => 'cn=groups,cn=accounts,dc=domain,dc=nx', that should do it. In a while after the kids are put to bed I can test it. -- groet, natxo </pre></div></div>