[Freeipa-users] LDAP search for email address of user in a particular group

Post by Dan Scott
ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
-x
In version 2, it looks like the memberOf attributes have been removed
from the user entries and the user group membership information is
stored only in the 'member' attribute of the individual group entries.
Can someone help me modify the above command so that I can find users,
using their email address, who are also members of a particular group?
Preferably using one command.

Dan-

It looks like you are missing the cn=accounts in your filter:

ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)"
-x ...

Steve

Dan Scott

2011-11-04 22:05:33 UTC

Hi,

Dan-
ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)"
-x ...

Thanks for spotting that, it was an error from when I was removing my
domain information.

However, the problem remains that the memberOf attributes don't exist
in FreeIPA V2, so I need to figure out another way to do the search.

Thanks,

Dan

Stephen Ingram

2011-11-04 22:10:41 UTC

Post by Dan Scott
Thanks for spotting that, it was an error from when I was removing my
domain information.
However, the problem remains that the memberOf attributes don't exist
in FreeIPA V2, so I need to figure out another way to do the search.

Maybe everything didn't come across correctly in the upgrade. memberOf
attributes *do* exist in v2. I know because I'm using them at this
very moment. Have you searched your tree to see how everything was
converted?

Rob Crittenden

2011-11-04 22:13:45 UTC

Dan-
ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)"
-x ...

Thanks for spotting that, it was an error from when I was removing my
domain information.
However, the problem remains that the memberOf attributes don't exist
in FreeIPA V2, so I need to figure out another way to do the search.
Thanks,
Dan

memberof should exist. memberof should be calculated on the fly from the
member information. I'm not sure why you aren't seeing it.

You can try this, substituting for your domain:

# /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D 'cn=directory
manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v

This should rebuild the memberof values.

rob

Dan Scott

2011-11-04 22:51:39 UTC

Hi,

Dan-
ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)"
-x ...

Thanks for spotting that, it was an error from when I was removing my
domain information.
However, the problem remains that the memberOf attributes don't exist
in FreeIPA V2, so I need to figure out another way to do the search.
Thanks,
Dan

memberof should exist. memberof should be calculated on the fly from the
member information. I'm not sure why you aren't seeing it.
# /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D 'cn=directory
manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v
This should rebuild the memberof values.

Thanks for the tip, but it doesn't seem to be working. I run the
command and get a response. It says:

adding new entry "cn=memberOf_fixup_2011_11_4_18_46_11, cn=memberOf
task, cn=tasks, cn=config"
modify complete

But the memberOf attributes don't appear (on either server - I have 2
servers replicating).

There are a couple of suspicious errors in the dirsrv log file:

[04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
entries set up under cn=ng, cn=compat, dc=example,dc=com
[04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
entries set up under ou=SUDOers, dc=example,dc=com
[04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
should be added before the CoS Definition.
[04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
should be added before the CoS Definition.

The other server contains similar lines and also shows some errors
when I rebooted the first server. But eventually it shows:

Replication bind with GSSAPI auth resumed

So I guess it's all OK?

Thanks,

Dan

Rich Megginson

2011-11-04 23:07:50 UTC

Dan-
ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)"
-x ...

Thanks for spotting that, it was an error from when I was removing my
domain information.
However, the problem remains that the memberOf attributes don't exist
in FreeIPA V2, so I need to figure out another way to do the search.
Thanks,
Dan

Thanks for the tip, but it doesn't seem to be working. I run the
adding new entry "cn=memberOf_fixup_2011_11_4_18_46_11, cn=memberOf
task, cn=tasks, cn=config"
modify complete
But the memberOf attributes don't appear (on either server - I have 2
servers replicating).
[04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
entries set up under cn=ng, cn=compat, dc=example,dc=com
[04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
entries set up under ou=SUDOers, dc=example,dc=com
[04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
should be added before the CoS Definition.
[04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
should be added before the CoS Definition.
The other server contains similar lines and also shows some errors
Replication bind with GSSAPI auth resumed
So I guess it's all OK?

I don't see any problems there.

Do you have objectclass: inetUser in your user entries?

Post by Dan Scott
Thanks,
Dan
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users

Dan Scott

2011-11-04 23:12:48 UTC

Post by Rich Megginson

Dan-
ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)"
-x ...

Thanks for spotting that, it was an error from when I was removing my
domain information.
However, the problem remains that the memberOf attributes don't exist
in FreeIPA V2, so I need to figure out another way to do the search.
Thanks,
Dan

I don't see any problems there.
Do you have objectclass: inetUser in your user entries?

Yep. That attribute exists for all of the users that I checked.

Dan

Rich Megginson

2011-11-04 23:38:06 UTC

Post by Rich Megginson

Dan-
ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)"
-x ...

Thanks for spotting that, it was an error from when I was removing my
domain information.
However, the problem remains that the memberOf attributes don't exist
in FreeIPA V2, so I need to figure out another way to do the search.
Thanks,
Dan

I don't see any problems there.
Do you have objectclass: inetUser in your user entries?

Yep. That attribute exists for all of the users that I checked.

Find a user that should exist in a group e.g. uid=dscott,...the rest of
the dn...
do a search for the group that should contain that user e.g.
ldapsearch -x dc=example,dc=com '(member=uid=dscott,...the rest of the
dn...)'

Does it return the group entry?

Post by Dan Scott
Dan

Dan Scott

2011-11-05 13:00:14 UTC

Post by Rich Megginson

Dan-
ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)"
-x ...

Thanks for spotting that, it was an error from when I was removing my
domain information.
However, the problem remains that the memberOf attributes don't exist
in FreeIPA V2, so I need to figure out another way to do the search.
Thanks,
Dan

memberof should exist. memberof should be calculated on the fly from the
member information. I'm not sure why you aren't seeing it.
# /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D
'cn=directory
manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v
This should rebuild the memberof values.

I don't see any problems there.
Do you have objectclass: inetUser in your user entries?

Yep. That attribute exists for all of the users that I checked.

Find a user that should exist in a group e.g. uid=dscott,...the rest of the
dn...
do a search for the group that should contain that user e.g.
ldapsearch -x dc=example,dc=com '(member=uid=dscott,...the rest of the
dn...)'
Does it return the group entry?

Not with the command as you specified.

I need to add a '-b' before the domain. i.e.

ldapsearch -x -b dc=example,dc=com
'(member=uid=djscott,cn=users,cn=accounts,dc=example,dc=com)'

And then it works fine and returns all my groups.

Thanks,

Dan

Stephen Gallagher

2011-11-07 13:20:05 UTC

Post by Dan Scott
Hi,
I've just migrated a couple of servers from FreeIPA 1.2 to 2.1. I'm
almost done. I just have a few custom LDAP searches to migrate.
With the old system, I was trying to look users who are in a
particular group by their email address i.e.
ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
-x
In version 2, it looks like the memberOf attributes have been removed
from the user entries and the user group membership information is
stored only in the 'member' attribute of the individual group entries.

memberOf exists, but you have to be connecting to LDAP with an
authenticated user who has privilege to see the memberOf attribute. I
believe (Rob can correct me) this means either an administrator or a
host principal.

So if you try doing (from an enrolled client):

kinit -k -t /etc/krb5.keytab host/<fqdn>@IPAREALM
ldapsearch -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=com
"(&(mail={email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"

You should get results.

Dan Scott

2011-11-07 14:53:37 UTC