此内容没有您所选择的语言版本。

25.2. Defining Automembership Rules (Basic Procedure)


25.2.1. From the Web UI

  1. Open the Policy tab, and select the Automembers subtab.
  2. In the top of the Automembers area, select the type of autogroup to create, either USER GROUP RULES or HOST GROUP RULES.
  3. In the drop-down menu, select the group for which to create the automember rule.
  4. Click the Add and Edit button.
  5. In the edit page for the rule, click the + Add by the type of condition to create to identify entries.
  6. Select the attribute to use as the basis for the search and then set the regular expression to use to match the attribute value.
    Conditions can look for entries either to include in the group or to explicitly exclude from the group. The format of a condition is a Perl-compatible regular expression (PCRE). For more information on PCRE patterns, see the pcresyntax(3) man page.

    Note

    Exclude conditions are evaluated first and take precedence over include conditions.
  7. Click Add and Add Another to add another condition. A single rule can have multiple include and exclude conditions. When all conditions have been configured, click the Add button to save the last condition and close the dialog window.

25.2.2. From the CLI

There are two commands used to define an automember rule:
  • A command to target the group as an automember group, automember-add
  • A command to add regular expression conditions to identify group members, automember-add-condition
For example:
  1. Create the automember rule entry for the group. Use the --type to identify whether the target group is a user group (group) or a host group (hostgroup). This command has the format:
    ipa automember-add --type=group|hostgroup groupName
    For example:
    [jsmith@server ~]$ ipa automember-add --type=group exampleGroup
  2. Create the conditions for the rule. To set multiple patterns, either give a comma-separated list of patterns in the --inclusive-regex|--exclusive-regex options or run the command multiple times.
    This command has the format:
    ipa automember-add-condition --type=group|hostgroup --key=attribute --inclusive-regex=regex | --exclusive-regex=regex groupName
    As with the automember rule, the condition must specify the type of group (--type) and the name of the target group (groupName).
    The condition must also specify the attribute (the key) and any patterns for the attribute value. The --key is the attribute name that is the focus of the condition. Then, there is a regular expression pattern to identify matching values; matching entries can either be included (--inclusive-regex) or excluded (--exclusive-regex) from the group. Exclusion rules take precedence.
    For example, to include all employees with Barbara Jensen as a manager, but excluding the temporary employees:
    [jsmith@server ~]$ ipa automember-add-condition --type=group --key=manager --inclusive-regex=^uid=bjensen$ exampleGroup
    [jsmith@server ~]$ ipa automember-add-condition --type=group --key=employeetype --exclusive-regex=^temp exampleGroup

    Note

    The regular expression can match any part of the string. Using a caret (^) means that it must match at the beginning, and using a dollar sign ($) means that it must match at the end. Wrapping the pattern in ^ and $ means that the string as a whole must match.
    For more information on Perl-compatible regular expression (PCRE) patterns, see the pcresyntax(3) man page.
To remove a condition for a rule, pass the full condition information, both the key and the regular expression:
[jsmith@server ~]$ ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers
To remove the entire rule, simply run the automember-del command.
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.