此内容没有您所选择的语言版本。
25.3. Examples of Using Automember Groups
Note
These examples are shown using the CLI; the same configuration can be performed in the web UI.
A Note on Creating Default Groups
One common environment requirement is to have some sort of default group that users or hosts are added to. There are a couple of different ways to approach that.
- All entries can be added to a single, global group regardless of what other groups they are also added to.
- Entries can be added to specific automember groups. If the new entry does not match any autogroup, then it is added to a default or fallback group.
These strategies are mutually exclusive. If an entry matches a global group, then it does match an automember group and would, therefore, not be added to the fallback group.
25.3.1. Setting an All Users/Hosts Rule
To add all users or all hosts to a single group, use an inclusive regular expression for some attribute (such as
cn or fqdn) which all entries will contain.
A regular expression to match all entries is simply
.*. For example, to add all hosts to the same host group:
[jsmith@server ~]$ ipa automember-add-condition --type=hostgroup allhosts --inclusive-regex=.* --key=fqdn -------------------------------- Added condition(s) to "allhosts" -------------------------------- Automember Rule: allhosts Inclusive Regex: fqdn=.* ---------------------------- Number of conditions added 1 ----------------------------
Every host added after that is automatically added to the
allhosts group:
[jsmith@server ~]$ ipa host-add test.example.com ----------------------------- Added host "test.example.com" ----------------------------- Host name: test.example.com Principal name: host/test.example.com@EXAMPLE.COM Password: False Keytab: False Managed by: test.example.com [jsmith@server ~]$ ipa hostgroup-show allhosts Host-group: allhosts Description: Default hostgroup Member hosts: test.example.com
For more information on PCRE patterns, see the pcresyntax(3) man page.
25.3.2. Defining Default Automembership Groups
There is a special command to set a default group,
automember-default-group-set. This sets the group name (--default-group) and group type(--type), similar to an automember rule, but there is no condition to match. By definition, default group members are unmatched entries.
For example:
[jsmith@server ~]$ ipa automember-default-group-set --default-group=ipaclients --type=hostgroup [jsmith@server ~]$ ipa automember-default-group-set --default-group=ipausers --type=group
A default group rule can be removed using the
automember-default-group-remove command. Since there is only one default group for a group type, it is only necessary to give the group type, not the group name:
[jsmith@server ~]$ ipa automember-default-group-remove --type=hostgroup
25.3.3. Using Automembership Groups with Windows Users
When a user is created in IdM, that user is automatically added as a member to the
ipausers group (which is the default group for all new users, apart from any automember group). However, when a Windows user is synced over from Active Directory, that user is not automatically added to the ipausers group.
New Windows users can be added to the
ipausers group, as with users created in Identity Management, by using an automember group. Every Windows user is added with the ntUser object class; that object class can be used as an inclusive filter to identify new Windows users to add to the automember group.
First, define the
ipausers group as an automember group:
[jsmith@server ~]$ ipa automember-add --type=group ipausers
Then, use the
ntUser object class as a condition to add users:
[jsmith@server ~]$ ipa automember-add-condition ipausers --key=objectclass --type=group --inclusive-regex=ntUser
