On to, 07 touko 2020, Mary Georgiou via FreeIPA-users wrote:
Hi Mark,
Thank you very much for your quick and detailed answer.
I'm a bit confused with some details I do not understand. I ran this
query and I got back only the user entires. Arent's also the groups
part of this (since they can be members of other groups etc)? In case
this is supposed to be the expected behavior, after checking the
attribute 'nsslapd-idlistscanlimit' I saw that it is already set to
100.000 (and the entries that we got back from the query were 63000).
I noticed that none of the entries had the 'nsmemberof' object class
explicitly. How is this class used by default in freeIPA concerning
users and groups? Again I'm super curious about the groups that do have
the memberOf attribute but were not returned in the aforementioned
query.
You would be interested in memberOf attribute, not the object class.
IPA has a number of obejct classes that allow memberOf attribute:
(2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST ( fqdn ) MAY (
userPassword $ ipaClientVersion $ enrolledBy $ memberOf $ userClass $ ipaAssignedIDView )
X-ORIGIN 'IPA v2' )
(2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service
objectclass' AUXILIARY MAY ( memberOf $ managedBy $ ipaKrbAuthzData) X-ORIGIN 'IPA
v2' )
(2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports
nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' )
(2.16.840.1.113730.3.8.4.8 NAME 'ipaNISNetgroup' DESC 'IPA version of NIS
netgroup' SUP ipaAssociation STRUCTURAL MAY ( externalHost $ nisDomainName $ member $
memberOf ) X-ORIGIN 'IPA v2' )
(2.16.840.1.113730.3.8.4.10 NAME 'ipaHBACService' STRUCTURAL MUST ( cn ) MAY (
description $ memberOf ) X-ORIGIN 'IPA v2' )
(2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn )
MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
(2.16.840.1.113730.3.8.8.2 NAME 'ipaSudoCmd' DESC 'IPA object class for SUDO
command' STRUCTURAL MUST ( ipaUniqueID $ sudoCmd ) MAY ( memberOf $ description )
X-ORIGIN 'IPA v2' )
They all can be used for group membership. nestedGroup is the one you
are interested in -- any nestedGroup object can be a member of any other
group.
For example, on my test deployment I have a regular group 'idmgroup', it
has the following structure:
# ipa group-show idmgroup --raw --all
dn: cn=idmgroup,cn=groups,cn=accounts,dc=ipa,dc=test
cn: idmgroup
gidnumber: 1908200005
member: uid=idmuser,cn=users,cn=accounts,dc=ipa,dc=test
ipaNTSecurityIdentifier: S-1-5-21-3787809381-104084847-3373960542-1005
ipaUniqueID: 141f0f32-8ea7-11ea-8724-fa163efaafc4
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
as you can see, it is nestedGroup, as any IPA group that contains users.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland