[Freeipa-users] LDAP search for email address of user in a particular group
Dan Scott
danieljamesscott at gmail.com
Sat Nov 5 13:00:14 UTC 2011
On Fri, Nov 4, 2011 at 19:38, Rich Megginson <rmeggins at redhat.com> wrote:
> On 11/04/2011 05:12 PM, Dan Scott wrote:
>>
>> On Fri, Nov 4, 2011 at 19:07, Rich Megginson<rmeggins at redhat.com> wrote:
>>>
>>> On 11/04/2011 04:51 PM, Dan Scott wrote:
>>>>
>>>> Hi,
>>>>
>>>> On Fri, Nov 4, 2011 at 18:13, Rob Crittenden<rcritten at redhat.com>
>>>> wrote:
>>>>>
>>>>> Dan Scott wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> On Fri, Nov 4, 2011 at 17:38, Stephen Ingram<sbingram at gmail.com>
>>>>>> wrote:
>>>>>>>
>>>>>>> On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott<danieljamesscott at gmail.com>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
>>>>>>>> -x
>>>>>>>>
>>>>>>>> In version 2, it looks like the memberOf attributes have been
>>>>>>>> removed
>>>>>>>> from the user entries and the user group membership information is
>>>>>>>> stored only in the 'member' attribute of the individual group
>>>>>>>> entries.
>>>>>>>>
>>>>>>>> Can someone help me modify the above command so that I can find
>>>>>>>> users,
>>>>>>>> using their email address, who are also members of a particular
>>>>>>>> group?
>>>>>>>> Preferably using one command.
>>>>>>>
>>>>>>> Dan-
>>>>>>>
>>>>>>> It looks like you are missing the cn=accounts in your filter:
>>>>>>>
>>>>>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> "(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)"
>>>>>>> -x ...
>>>>>>
>>>>>> Thanks for spotting that, it was an error from when I was removing my
>>>>>> domain information.
>>>>>>
>>>>>> However, the problem remains that the memberOf attributes don't exist
>>>>>> in FreeIPA V2, so I need to figure out another way to do the search.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Dan
>>>>>
>>>>> memberof should exist. memberof should be calculated on the fly from
>>>>> the
>>>>> member information. I'm not sure why you aren't seeing it.
>>>>>
>>>>> You can try this, substituting for your domain:
>>>>>
>>>>> # /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D
>>>>> 'cn=directory
>>>>> manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v
>>>>>
>>>>> This should rebuild the memberof values.
>>>>
>>>> Thanks for the tip, but it doesn't seem to be working. I run the
>>>> command and get a response. It says:
>>>>
>>>> adding new entry "cn=memberOf_fixup_2011_11_4_18_46_11, cn=memberOf
>>>> task, cn=tasks, cn=config"
>>>> modify complete
>>>>
>>>> But the memberOf attributes don't appear (on either server - I have 2
>>>> servers replicating).
>>>>
>>>> There are a couple of suspicious errors in the dirsrv log file:
>>>>
>>>> [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
>>>> entries set up under cn=ng, cn=compat, dc=example,dc=com
>>>> [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
>>>> entries set up under ou=SUDOers, dc=example,dc=com
>>>> [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
>>>> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
>>>> should be added before the CoS Definition.
>>>> [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
>>>> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
>>>> should be added before the CoS Definition.
>>>>
>>>> The other server contains similar lines and also shows some errors
>>>> when I rebooted the first server. But eventually it shows:
>>>>
>>>> Replication bind with GSSAPI auth resumed
>>>>
>>>> So I guess it's all OK?
>>>
>>> I don't see any problems there.
>>>
>>> Do you have objectclass: inetUser in your user entries?
>>
>> Yep. That attribute exists for all of the users that I checked.
>
> Find a user that should exist in a group e.g. uid=dscott,...the rest of the
> dn...
> do a search for the group that should contain that user e.g.
> ldapsearch -x dc=example,dc=com '(member=uid=dscott,...the rest of the
> dn...)'
>
> Does it return the group entry?
Not with the command as you specified.
I need to add a '-b' before the domain. i.e.
ldapsearch -x -b dc=example,dc=com
'(member=uid=djscott,cn=users,cn=accounts,dc=example,dc=com)'
And then it works fine and returns all my groups.
Thanks,
Dan
More information about the Freeipa-users
mailing list