此内容没有您所选择的语言版本。
25.2. Defining Automembership Rules (Basic Procedure)
25.2.1. From the Web UI
- Create the user group (Section 9.11.2.1, “Creating User Groups”) or host group (Section 10.7.1.1, “Creating Host Groups from the Web UI”).
- Open the Policy tab, and select the Automembers subtab.
- In the top of the Automembers area, select the type of autogroup to create, either USER GROUP RULES or HOST GROUP RULES.
- In the drop-down menu, select the group for which to create the automember rule.
- Click thebutton.
- In the edit page for the rule, click the + Add by the type of condition to create to identify entries.
- Select the attribute to use as the basis for the search and then set the regular expression to use to match the attribute value.Conditions can look for entries either to include in the group or to explicitly exclude from the group. The format of a condition is a Perl-compatible regular expression (PCRE). For more information on PCRE patterns, see the pcresyntax(3) man page.
Note
Exclude conditions are evaluated first and take precedence over include conditions. - Click Add button to save the last condition and close the dialog window.to add another condition. A single rule can have multiple include and exclude conditions. When all conditions have been configured, click the
25.2.2. From the CLI
There are two commands used to define an automember rule:
- A command to target the group as an automember group,
automember-add
- A command to add regular expression conditions to identify group members,
automember-add-condition
For example:
- Create the user group (Section 9.11.2.1.2, “With the Command Line”) or host group (Section 10.7.1.2, “Creating Host Groups from the Command Line”).
- Create the automember rule entry for the group. Use the
--type
to identify whether the target group is a user group (group
) or a host group (hostgroup
). This command has the format:ipa automember-add --type=group|hostgroup groupName
For example:[jsmith@server ~]$ ipa automember-add --type=group exampleGroup
- Create the conditions for the rule. To set multiple patterns, either give a comma-separated list of patterns in the
--inclusive-regex|--exclusive-regex
options or run the command multiple times.This command has the format:ipa automember-add-condition --type=group|hostgroup --key=attribute --inclusive-regex=regex | --exclusive-regex=regex groupName
As with the automember rule, the condition must specify the type of group (--type
) and the name of the target group (groupName).The condition must also specify the attribute (the key) and any patterns for the attribute value. The--key
is the attribute name that is the focus of the condition. Then, there is a regular expression pattern to identify matching values; matching entries can either be included (--inclusive-regex
) or excluded (--exclusive-regex
) from the group. Exclusion rules take precedence.For example, to include all employees with Barbara Jensen as a manager, but excluding the temporary employees:[jsmith@server ~]$ ipa automember-add-condition --type=group --key=manager --inclusive-regex=^uid=bjensen$ exampleGroup [jsmith@server ~]$ ipa automember-add-condition --type=group --key=employeetype --exclusive-regex=^temp exampleGroup
Note
The regular expression can match any part of the string. Using a caret (^) means that it must match at the beginning, and using a dollar sign ($) means that it must match at the end. Wrapping the pattern in ^ and $ means that the string as a whole must match.For more information on Perl-compatible regular expression (PCRE) patterns, see the pcresyntax(3) man page.
To remove a condition for a rule, pass the full condition information, both the key and the regular expression:
[jsmith@server ~]$ ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers
To remove the entire rule, simply run the
automember-del
command.