Thanks, Rob.
I will give it a try.
I made a posix group to use for application access - call it "nnmi_access"
I can ldapsearch using
(&(objectclass=groupofnames)(cn=nnmi_access)) member
and get back the members of the group like this:
member: uid=foobar,cn=users,cn=accounts,dc=…
So then the roleBase is "member". but what should the roleContextDN be ?
Maybe cn-nnmi-access,cn=groups,…,dc=… ?
______________________________________________________________________________________________
Daniel E. White
daniel.e.white@nasa.gov
NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771
Office: (301) 286-6919
Mobile: (240) 513-5290
From:
Rob Crittenden <rcritten@redhat.com>
Date: Thursday, December 5, 2019 at 13:33
To: Daniel White <daniel.e.white@nasa.gov>, FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Subject: Re: [EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and MicroFocus Network Automation ?
White, Daniel E. (GSFC-770.0)[NICS] wrote:
Finally found a reference:
<roleSearch>
Placeholder element to include the user role information.
<roleBase>/member/={1}</roleBase>
Replace /member/ with the name of the group attribute that stores the
directory service user ID in the directory service domain.
<roleContextDN>
</roleContextDN>
Specify the portion of the directory service domain that stores group
records.
The format is a comma-separated list of directory service attribute
names and values. For example:
/For Microsoft Active Directory/
CN=Users,DC=ldapserver,DC=mycompany,DC=com
/For other LDAP technologies/
ou=Groups,o=/example/.com
</roleSearch>
My gosh their documentation is...interesting.
For the domain example.test you'd use the following configuration:
Users are stored in cn=users,cn=accounts,dc=example,dc=test
Groups are stored in cn=groups,cn=accounts,dc=example,dc=test
Groups use the member attribute.
Users use memberof.
Note too that I saw in their documentation that the administrator user
account must be unique. IPA uses the account 'admin' just like MNA, so
be aware that one side will need to be changed.
FreeIPA/IdM does not support OU's
FWIW, Rob, you closed that RFE
IPA uses a flat tree. Lots of LDAP admins over the years have tried to
reflect an company's organization using OU's with "interesting" results,
particularly as teams are re-organized, acquisitions, etc. You end up
moving entries around for artificial reasons (Tech Support is now called
Global User Support, rename the OU tomorrow).
rob
Any suggestions other than to gripe to the other vendor ?
*______________________________________________________________________________________________*
* *
*Daniel E. White**
*NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771***
*Office: (301) 286-6919***
*Mobile: (240) 513-5290*
*From: *Rob Crittenden <rcritten@redhat.com>
*Date: *Wednesday, December 4, 2019 at 17:55
*To: *FreeIPA users list <freeipa-users@lists.fedorahosted.org>
*Cc: *Daniel White <daniel.e.white@nasa.gov>
*Subject: *[EXTERNAL] Re: [Freeipa-users] Anyone using FreeIPA/IdM and
MicroFocus Network Automation ?
White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote:
Despite the fact that we selected "Generic LDAP" rather than "Active
Directory", it is still looking for Security Groups and Organization
Units.
I've never used it and couldn't find much in their docs. Do you have
more information on what the configuration screen looks like and what
the 389-ds access log is showing?
rob