[Freeipa-users] LDAP search for email address of user in a particular group
Stephen Gallagher
sgallagh at redhat.com
Mon Nov 7 13:20:05 UTC 2011
On Fri, 2011-11-04 at 17:12 -0400, Dan Scott wrote:
> Hi,
>
> I've just migrated a couple of servers from FreeIPA 1.2 to 2.1. I'm
> almost done. I just have a few custom LDAP searches to migrate.
>
> With the old system, I was trying to look users who are in a
> particular group by their email address i.e.
>
> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
> -x
>
> In version 2, it looks like the memberOf attributes have been removed
> from the user entries and the user group membership information is
> stored only in the 'member' attribute of the individual group entries.
memberOf exists, but you have to be connecting to LDAP with an
authenticated user who has privilege to see the memberOf attribute. I
believe (Rob can correct me) this means either an administrator or a
host principal.
So if you try doing (from an enrolled client):
kinit -k -t /etc/krb5.keytab host/<fqdn>@IPAREALM
ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=com
"(&(mail={email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
You should get results.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20111107/c0dcd592/attachment.sig>
More information about the Freeipa-users
mailing list