[Freeipa-users] automember issues

John Moyer john.moyer at digitalreasoning.com
Tue Apr 30 19:23:36 UTC 2013 

So I must have looked at the wrong server name, I just tried to add 4 more servers and none of them worked.   Anymore ideas?   The target is specified by the rule name test-group is the target.  

Thanks, 
_____________________________________________________
John Moyer


On Apr 30, 2013, at 2:25 PM, Dmitri Pal <dpal at redhat.com> wrote:

> On 04/30/2013 02:17 PM, JR Aquino wrote:
>> On Apr 30, 2013, at 11:12 AM, John Moyer <john.moyer at digitalreasoning.com>
>> wrote:
>> 
>>> I tried adding it in addition to the current rule and that didn't work.  I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either.
>>> 
>>> This is the new output of that command you had me run earlier: 
>>> 
>>> ipa automember-find --type=hostgroup
>>> ---------------
>>> 1 rules matched
>>> ---------------
>>> Automember Rule: test-group
>>> Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com
>>> ----------------------------
>>> Number of entries returned 1
>>> ----------------------------
>>> 
>> Interesting.
>> 
>> What about if you just do something silly like: ".*build.*"
>> 
>> Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above?
> 
> 
> Don't you need to specify target group?
> It might be that the filter is working but it is not placing it anywhere
> because nothing is specifying where to place it.
> 
> 
>> 
>>> 
>>> Thanks, 
>>> _____________________________________________________
>>> John Moyer
>>> 
>>> 
>>> On Apr 30, 2013, at 2:07 PM, JR Aquino <JR.Aquino at citrix.com> wrote:
>>> 
>>>> On Apr 30, 2013, at 11:02 AM, John Moyer <john.moyer at digitalreasoning.com>
>>>> wrote:
>>>> 
>>>>> It comes back with a ton of stuff the row you are probably interested in is this one: 
>>>>> 
>>>>> enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com
>>>> Bingo!
>>>> 
>>>> Ok, try to adjust your automember rule.
>>>> 
>>>> Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com
>>>> 
>>>> See if that does the trick
>>>> 
>>>>> Thanks, 
>>>>> _____________________________________________________
>>>>> John Moyer
>>>>> 
>>>>> 
>>>>> On Apr 30, 2013, at 1:57 PM, JR Aquino <JR.Aquino at citrix.com> wrote:
>>>>> 
>>>>>> On Apr 30, 2013, at 10:52 AM, John Moyer <john.moyer at digitalreasoning.com>
>>>>>> wrote:
>>>>>> 
>>>>>>> Not a problem, here is the output
>>>>>>> 
>>>>>>> ipa automember-find --type=hostgroup
>>>>>>> ---------------
>>>>>>> 1 rules matched
>>>>>>> ---------------
>>>>>>> Automember Rule: test-group
>>>>>>> Inclusive Regex: enrolledby=build
>>>>>>> ----------------------------
>>>>>>> Number of entries returned 1
>>>>>>> ----------------------------
>>>>>>> 
>>>>>> interesting.
>>>>>> 
>>>>>> When you do an: ipa host-show test-hostname.example.com --all --raw
>>>>>> 
>>>>>> Does it clearly show that enrolledby=build?
>>>>>> 
>>>>>>> 
>>>>>>> Thanks, 
>>>>>>> _____________________________________________________
>>>>>>> John Moyer
>>>>>>> 
>>>>>>> 
>>>>>>> On Apr 30, 2013, at 1:48 PM, JR Aquino <JR.Aquino at citrix.com> wrote:
>>>>>>> 
>>>>>>>> On Apr 30, 2013, at 10:43 AM, John Moyer <john.moyer at digitalreasoning.com>
>>>>>>>> wrote:
>>>>>>>> 
>>>>>>>>> One thing to add is that this build user only has the following access: 
>>>>>>>>> 
>>>>>>>>> Host Administrators
>>>>>>>>> Host enrollment 
>>>>>>>>> 
>>>>>>>>> Would he need more access to do the membership?  My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. 
>>>>>>>>> 
>>>>>>>> The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user.
>>>>>>>> 
>>>>>>>> Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread?
>>>>>>>> 
>>>>>>>> If we are missing something or if we have any bugs in there, we need to get them identified and fixed.
>>>>>>>> 
>>>>>>>> 
>>>>>>>>> Thanks, 
>>>>>>>>> _____________________________________________________
>>>>>>>>> John Moyer
>>>>>>>>> On Apr 30, 2013, at 1:21 PM, JR Aquino <JR.Aquino at citrix.com> wrote:
>>>>>>>>> 
>>>>>>>>>> On Apr 30, 2013, at 9:30 AM, John Moyer <john.moyer at digitalreasoning.com<mailto:john.moyer at digitalreasoning.com>> wrote:
>>>>>>>>>> 
>>>>>>>>>> Anyone have any suggestions to using the auto member function in IPA?  I've tried to set it up so if a server is enrolled by a user called "build" then it should add it to a specific server group.   I put in an inclusive rule and the expression is just "build", but it doesn't work.  Do I need to specify more than just build in the expression area?
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> That -should- be enough to catch new hosts that are built by the 'build' user.
>>>>>>>>>> 
>>>>>>>>>> Can you verify that the Attribute you are matching on is: "enrolledby" ?
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> "Keeping your head in the cloud"
>>>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>>>>>> Jr Aquino | Sr. Information Security Specialist
>>>>>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
>>>>>>>>>> GCIH | GIAC Certified Incident Handler
>>>>>>>>>> GWAPT | GIAC WebApp Penetration Tester
>>>>>>>>>> 
>>>>>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117<x-apple-data-detectors://0/0>
>>>>>>>>>> T:  +1 805.690.3478<tel:+1%C2%A0805.690.3478>
>>>>>>>>>> C: +1 805.717.0365<tel:+1%20805.717.0365>
>>>>>>>>>> jr.aquino at citrix.com<mailto:jr.aquino at citrixonline.com>
>>>>>>>>>> http://www.citrixonline.com<http://www.citrixonline.com/>
>>>>>>>>>> 
>>>>>>>>>> "Keeping your head in the cloud"
>>>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>>>>>> Jr Aquino | Sr. Information Security Specialist
>>>>>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester
>>>>>>>>>> GCIH | GIAC Certified Incident Handler
>>>>>>>>>> GWAPT | GIAC WebApp Penetration Tester
>>>>>>>>>> 
>>>>>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117<x-apple-data-detectors://0/0>
>>>>>>>>>> T:  +1 805.690.3478<tel:+1%C2%A0805.690.3478>
>>>>>>>>>> C: +1 805.717.0365<tel:+1%20805.717.0365>
>>>>>>>>>> jr.aquino at citrix.com<mailto:jr.aquino at citrixonline.com>
>>>>>>>>>> http://www.citrixonline.com<http://www.citrixonline.com/>
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> Thanks,
>>>>>>>>>> _____________________________________________________
>>>>>>>>>> John Moyer
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Freeipa-users mailing list
>>>>>>>>>> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>> 
>> 
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
> 
> 
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list