2

I need to check users for membership in a group on FreeIPA. (Currently I'm testing on the command line to get the search right before writing the actual code in Node). Based on searches, I'm using the following query:

ldapsearch -x -b "uid=testuser,cn=users,cn=accounts,dc=smnet,dc=com" '(memberof=cn=testgroup,cn=groups,cn=accounts,dc=smnet,dc=com)'

But the result I get is:

# extended LDIF
#
# LDAPv3
# base <uid=testuser,cn=users,cn=accounts,dc=smnet,dc=com> with scope subtree
# filter: (memberof=cn=testgroup,cn=groups,cn=accounts,dc=smnet,dc=com)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1`

However, if I leave off the filter:

 ldapsearch -x -b "uid=testuser,cn=users,cn=accounts,dc=smnet,dc=com"

I get:

# extended LDIF
#
# LDAPv3
# base <uid=testuser,cn=users,cn=accounts,dc=smnet,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# testuser, users, accounts, smnet.com
dn: uid=testuser,cn=users,cn=accounts,dc=smnet,dc=com
givenName: test
sn: user
uid: testuser
cn: test user
displayName: test user
initials: tu
gecos: test user
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
homeDirectory: /home/testuser
uidNumber: 253000005
gidNumber: 253000005

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Which is what I'm expecting. Is my query wrong? Or am I misinterpreting the results?

In case it matters, this is with the latest Fedora server, with Free IPA included in the install process, running in a VirtualBox VM.

David Emami
  • 221
  • 1
  • 3
  • 11
  • 1
    You might want to run the second query again, querying for the memberof attribute to see which groups the user is in (memberof is an operational attribute only returned if specifically requested). `ldapsearch -x -b "uid=testuser,cn=users,cn=accounts,dc=smnet,dc=com" memberof` – Ludovic Poitou Mar 14 '19 at 08:07

1 Answers1

9

Both your queries are done with anonymous bind to LDAP (-x switch to ldapsearch). FreeIPA does not allow to see membership information unless you are authenticated. Create a user and use its credentials to authenticate in your searches, then you'll get both member and memberof attributes visible.

abbra
  • 852
  • 5
  • 6
  • 2
    this worked for me. `ldapsearch -W -D uid=admin,cn=users,cn=accounts,dc=example,dc=com -b "uid=testuser,cn=users,cn=accounts,dc=smnet,dc=com" '(memberof=cn=testgroup,cn=groups,cn=accounts,dc=smnet,dc=com)' – Revoman Apr 18 '20 at 07:59