[Freeipa-users] LDAP search for email address of user in a particular group
Dan Scott
danieljamesscott at gmail.com
Mon Nov 7 14:53:37 UTC 2011
On Mon, Nov 7, 2011 at 08:20, Stephen Gallagher <sgallagh at redhat.com> wrote:
> On Fri, 2011-11-04 at 17:12 -0400, Dan Scott wrote:
>> Hi,
>>
>> I've just migrated a couple of servers from FreeIPA 1.2 to 2.1. I'm
>> almost done. I just have a few custom LDAP searches to migrate.
>>
>> With the old system, I was trying to look users who are in a
>> particular group by their email address i.e.
>>
>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
>> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
>> -x
>>
>> In version 2, it looks like the memberOf attributes have been removed
>> from the user entries and the user group membership information is
>> stored only in the 'member' attribute of the individual group entries.
>
>
> memberOf exists, but you have to be connecting to LDAP with an
> authenticated user who has privilege to see the memberOf attribute. I
> believe (Rob can correct me) this means either an administrator or a
> host principal.
>
> So if you try doing (from an enrolled client):
>
> kinit -k -t /etc/krb5.keytab host/<fqdn>@IPAREALM
> ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=com
> "(&(mail={email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
>
> You should get results.
It works! Excellent. Thanks so much.
Dan
More information about the Freeipa-users
mailing list