Reputation: 229
Test group membership on FreeIPA server
I need to check users for membership in a group on FreeIPA. (Currently I'm testing on the command line to get the search right before writing the actual code in Node). Based on searches, I'm using the following query:
ldapsearch -x -b "uid=testuser,cn=users,cn=accounts,dc=smnet,dc=com" '(memberof=cn=testgroup,cn=groups,cn=accounts,dc=smnet,dc=com)'
But the result I get is:
# extended LDIF
#
# LDAPv3
# base <uid=testuser,cn=users,cn=accounts,dc=smnet,dc=com> with scope subtree
# filter: (memberof=cn=testgroup,cn=groups,cn=accounts,dc=smnet,dc=com)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1`
However, if I leave off the filter:
ldapsearch -x -b "uid=testuser,cn=users,cn=accounts,dc=smnet,dc=com"
I get:
# extended LDIF
#
# LDAPv3
# base <uid=testuser,cn=users,cn=accounts,dc=smnet,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# testuser, users, accounts, smnet.com
dn: uid=testuser,cn=users,cn=accounts,dc=smnet,dc=com
givenName: test
sn: user
uid: testuser
cn: test user
displayName: test user
initials: tu
gecos: test user
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
homeDirectory: /home/testuser
uidNumber: 253000005
gidNumber: 253000005
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Which is what I'm expecting. Is my query wrong? Or am I misinterpreting the results?
In case it matters, this is with the latest Fedora server, with Free IPA included in the install process, running in a VirtualBox VM.
Upvotes: 2
Views: 14950
Answers (1)
Reputation: 882
Both your queries are done with anonymous bind to LDAP (-x switch to ldapsearch). FreeIPA does not allow to see membership information unless you are authenticated. Create a user and use its credentials to authenticate in your searches, then you'll get both member and memberof attributes visible.
Upvotes: 9
Related Questions
- ldap query for group members
- LDAP query to retrieve members of a group
- How to query LDAP group membership with curl?
- How to search or find whether a user is a member of a group or not using LDAP query?
- Retrieving group membership in LDAP
- Query Ldap for group details using net-ldap library
- How to write LDAP query to test if user is member of a group?
- checking if a user belongs to a group in ldap
- LDAP query to check attributes and group membership
- querying ldap to retrieve groups user is member of (in sharepoint)