On Fri, Nov 4, 2011 at 19:07, Rich Megginson <rmegg...@redhat.com> wrote: > On 11/04/2011 04:51 PM, Dan Scott wrote: >> >> Hi, >> >> On Fri, Nov 4, 2011 at 18:13, Rob Crittenden<rcrit...@redhat.com> wrote: >>> >>> Dan Scott wrote: >>>> >>>> Hi, >>>> >>>> On Fri, Nov 4, 2011 at 17:38, Stephen Ingram<sbing...@gmail.com> >>>> wrote: >>>>> >>>>> On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott<danieljamessc...@gmail.com> >>>>> wrote: >>>>>> >>>>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com >>>>>> >>>>>> >>>>>> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com" >>>>>> -x >>>>>> >>>>>> In version 2, it looks like the memberOf attributes have been removed >>>>>> from the user entries and the user group membership information is >>>>>> stored only in the 'member' attribute of the individual group entries. >>>>>> >>>>>> Can someone help me modify the above command so that I can find users, >>>>>> using their email address, who are also members of a particular group? >>>>>> Preferably using one command. >>>>> >>>>> Dan- >>>>> >>>>> It looks like you are missing the cn=accounts in your filter: >>>>> >>>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com >>>>> >>>>> >>>>> "(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)" >>>>> -x ... >>>> >>>> Thanks for spotting that, it was an error from when I was removing my >>>> domain information. >>>> >>>> However, the problem remains that the memberOf attributes don't exist >>>> in FreeIPA V2, so I need to figure out another way to do the search. >>>> >>>> Thanks, >>>> >>>> Dan >>> >>> memberof should exist. memberof should be calculated on the fly from the >>> member information. I'm not sure why you aren't seeing it. >>> >>> You can try this, substituting for your domain: >>> >>> # /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D 'cn=directory >>> manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v >>> >>> This should rebuild the memberof values. >> >> Thanks for the tip, but it doesn't seem to be working. I run the >> command and get a response. It says: >> >> adding new entry "cn=memberOf_fixup_2011_11_4_18_46_11, cn=memberOf >> task, cn=tasks, cn=config" >> modify complete >> >> But the memberOf attributes don't appear (on either server - I have 2 >> servers replicating). >> >> There are a couple of suspicious errors in the dirsrv log file: >> >> [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no >> entries set up under cn=ng, cn=compat, dc=example,dc=com >> [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no >> entries set up under ou=SUDOers, dc=example,dc=com >> [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password >> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which >> should be added before the CoS Definition. >> [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password >> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which >> should be added before the CoS Definition. >> >> The other server contains similar lines and also shows some errors >> when I rebooted the first server. But eventually it shows: >> >> Replication bind with GSSAPI auth resumed >> >> So I guess it's all OK? > > I don't see any problems there. > > Do you have objectclass: inetUser in your user entries?
Yep. That attribute exists for all of the users that I checked. Dan _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users