[Freeipa-users] Re: Finding users with missing field entries

Wed, 09 Aug 2023 23:33:35 -0700 

On Чцв, 10 жні 2023, Ali Sobhi via FreeIPA-users wrote:

How do I search for logins where --departmentnumber value is null?


Use LDAP searches directly. 'ipa <object>-find' commands do not allow to
search for an absence of an attribute.

$ kinit admin
$ BASEDN=$(ipa env basedn|cut -d: -f2-|tr -d ' ')
$ ldapsearch -Y GSSAPI -b cn=users,cn=accounts,$BASEDN 
'(&(objectclass=inetorgperson)(!(departmentnumber=*)))'

Please note that 'admin' user will be missing from this list even though
it does not have a department number. This is because its LDAP record
does not include 'inetOrgPerson' object class and hence
'departmentNumber' attribute is not allowed there. Normal IPA users will
have 'inetOrgPerson' object class by default:

$ ipa config-show --all --raw|grep ipaUserObjectClasses
  ipaUserObjectClasses: top
  ipaUserObjectClasses: person
  ipaUserObjectClasses: organizationalperson
  ipaUserObjectClasses: inetorgperson
  ipaUserObjectClasses: inetuser
  ipaUserObjectClasses: posixaccount
  ipaUserObjectClasses: krbprincipalaux
  ipaUserObjectClasses: krbticketpolicyaux
  ipaUserObjectClasses: ipaobject
  ipaUserObjectClasses: ipasshuser


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue






















					Reply via email to