[Freeipa-users] LDAP search for email address of user in a particular group

Rich Megginson rmeggins at redhat.com
Fri Nov 4 23:07:50 UTC 2011 

On 11/04/2011 04:51 PM, Dan Scott wrote:
> Hi,
>
> On Fri, Nov 4, 2011 at 18:13, Rob Crittenden<rcritten at redhat.com>  wrote:
>> Dan Scott wrote:
>>> Hi,
>>>
>>> On Fri, Nov 4, 2011 at 17:38, Stephen Ingram<sbingram at gmail.com>    wrote:
>>>> On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott<danieljamesscott at gmail.com>
>>>>   wrote:
>>>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
>>>>>
>>>>> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
>>>>> -x
>>>>>
>>>>> In version 2, it looks like the memberOf attributes have been removed
>>>>> from the user entries and the user group membership information is
>>>>> stored only in the 'member' attribute of the individual group entries.
>>>>>
>>>>> Can someone help me modify the above command so that I can find users,
>>>>> using their email address, who are also members of a particular group?
>>>>> Preferably using one command.
>>>> Dan-
>>>>
>>>> It looks like you are missing the cn=accounts in your filter:
>>>>
>>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
>>>>
>>>> "(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)"
>>>> -x ...
>>> Thanks for spotting that, it was an error from when I was removing my
>>> domain information.
>>>
>>> However, the problem remains that the memberOf attributes don't exist
>>> in FreeIPA V2, so I need to figure out another way to do the search.
>>>
>>> Thanks,
>>>
>>> Dan
>> memberof should exist. memberof should be calculated on the fly from the
>> member information. I'm not sure why you aren't seeing it.
>>
>> You can try this, substituting for your domain:
>>
>> # /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D 'cn=directory
>> manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v
>>
>> This should rebuild the memberof values.
> Thanks for the tip, but it doesn't seem to be working. I run the
> command and get a response. It says:
>
> adding new entry "cn=memberOf_fixup_2011_11_4_18_46_11, cn=memberOf
> task, cn=tasks, cn=config"
> modify complete
>
> But the memberOf attributes don't appear (on either server - I have 2
> servers replicating).
>
> There are a couple of suspicious errors in the dirsrv log file:
>
> [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
> entries set up under cn=ng, cn=compat, dc=example,dc=com
> [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
> entries set up under ou=SUDOers, dc=example,dc=com
> [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
> should be added before the CoS Definition.
> [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
> should be added before the CoS Definition.
>
> The other server contains similar lines and also shows some errors
> when I rebooted the first server. But eventually it shows:
>
> Replication bind with GSSAPI auth resumed
>
> So I guess it's all OK?
I don't see any problems there.

Do you have objectclass: inetUser in your user entries?
> Thanks,
>
> Dan
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list