Thanks, Rob. I will give it a try.
I made a posix group to use for application access - call it "nnmi_access" I can ldapsearch using (&(objectclass=groupofnames)(cn=nnmi_access)) member and get back the members of the group like this: member: uid=foobar,cn=users,cn=accounts,dc=… So then the roleBase is "member". but what should the roleContextDN be ? Maybe cn-nnmi-access,cn=groups,…,dc=… ? ______________________________________________________________________________________________ Daniel E. White daniel.e.wh...@nasa.gov<mailto:daniel.e.wh...@nasa.gov> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290 From: Rob Crittenden <rcrit...@redhat.com> Date: Thursday, December 5, 2019 at 13:33 To: Daniel White <daniel.e.wh...@nasa.gov>, FreeIPA users list <freeipa-users@lists.fedorahosted.org> Subject: Re: [EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and MicroFocus Network Automation ? White, Daniel E. (GSFC-770.0)[NICS] wrote: Finally found a reference: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.microfocus.com_itom_Network-5FNode-5FManager-5Fi-3A10.50_Administer_NNMi-5FDeployment_Advanced-5FConfigurations_Deploy-5FLDAP-23Task5&d=DwIFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=-vUmbBnoTfNI-zKnzWW6m6uqDV7j73rvQYUz80xu5eQ&s=1uIsloZkAjEvieT-PMk8o_r4bo428Biq2IMkxG7hCZ0&e= <roleSearch> Placeholder element to include the user role information. <roleBase>/member/={1}</roleBase> Replace /member/ with the name of the group attribute that stores the directory service user ID in the directory service domain. <roleContextDN> </roleContextDN> Specify the portion of the directory service domain that stores group records. The format is a comma-separated list of directory service attribute names and values. For example: /For Microsoft Active Directory/ CN=Users,DC=ldapserver,DC=mycompany,DC=com /For other LDAP technologies/ ou=Groups,o=/example/.com </roleSearch> My gosh their documentation is...interesting. For the domain example.test you'd use the following configuration: Users are stored in cn=users,cn=accounts,dc=example,dc=test Groups are stored in cn=groups,cn=accounts,dc=example,dc=test Groups use the member attribute. Users use memberof. Note too that I saw in their documentation that the administrator user account must be unique. IPA uses the account 'admin' just like MNA, so be aware that one side will need to be changed. FreeIPA/IdM does not support OU's https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_freeipa_issue_2973&d=DwIFaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=-vUmbBnoTfNI-zKnzWW6m6uqDV7j73rvQYUz80xu5eQ&s=E4NjjvntHCD2Y-RmDMQn63BHNs0DF4FV47TfK9r62i4&e= FWIW, Rob, you closed that RFE IPA uses a flat tree. Lots of LDAP admins over the years have tried to reflect an company's organization using OU's with "interesting" results, particularly as teams are re-organized, acquisitions, etc. You end up moving entries around for artificial reasons (Tech Support is now called Global User Support, rename the OU tomorrow). rob Any suggestions other than to gripe to the other vendor ? *______________________________________________________________________________________________* * * *Daniel E. White** **daniel.e.wh...@nasa.gov<mailto:**daniel.e.wh...@nasa.gov> <mailto:daniel.e.wh...@nasa.gov>***<mailto:daniel.e.wh...@nasa.gov%3e***> *NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771*** *Office: (301) 286-6919*** *Mobile: (240) 513-5290* *From: *Rob Crittenden <rcrit...@redhat.com<mailto:rcrit...@redhat.com>> *Date: *Wednesday, December 4, 2019 at 17:55 *To: *FreeIPA users list <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> *Cc: *Daniel White <daniel.e.wh...@nasa.gov<mailto:daniel.e.wh...@nasa.gov>> *Subject: *[EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and MicroFocus Network Automation ? White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: Despite the fact that we selected "Generic LDAP" rather than "Active Directory", it is still looking for Security Groups and Organization Units. I've never used it and couldn't find much in their docs. Do you have more information on what the configuration screen looks like and what the 389-ds access log is showing? rob
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
