Hi. I'm trying to enable ldap auth for our server ipmi interface. I would like to allow access to members of ipmi_admin group only.
I constructed the following query and it works OK: ldapsearch -W -b "cn=users,cn=accounts,dc=deleted,dc=loc" "(memberOf=cn=ipmi_admins,cn=groups,cn=accounts,dc= deleted,dc=loc)"
However, due to ipmi limitations, there is no way to specify search query, i can only customize searchbase.
Is there any way to create a DIT subtree that will only contain users of a ipmi_admin group? I'm thinking maybe there is an analog of sql views where you can create a `view` that searches some other subtree with predefined search query?
Thanks.
On ti, 11 syys 2018, Andrew Gurinovich via FreeIPA-users wrote:
Hi. I'm trying to enable ldap auth for our server ipmi interface. I would like to allow access to members of ipmi_admin group only.
I constructed the following query and it works OK: ldapsearch -W -b "cn=users,cn=accounts,dc=deleted,dc=loc" "(memberOf=cn=ipmi_admins,cn=groups,cn=accounts,dc= deleted,dc=loc)"
However, due to ipmi limitations, there is no way to specify search query, i can only customize searchbase.
What query does ipmi interface use? You can discover that from the access log of the directory server. What attributes it expects to retrieve?
Is there any way to create a DIT subtree that will only contain users of a ipmi_admin group? I'm thinking maybe there is an analog of sql views where you can create a `view` that searches some other subtree with predefined search query?
There is no such thing. However, you can use slapi-nis plugin ("compat tree") to generate this kind of view in cn=compat,dc=deleted,dc=loc.
We already have some examples (and default configuration for RFC2307 schema), you can get more details in https://pagure.io/slapi-nis/blob/master/f/doc
freeipa-users@lists.fedorahosted.org