Product SiteDocumentation Site

16.3. Examples of Using Automember Groups

NOTE

These examples are shown using the CLI; the same configuration can be performed in the web UI.
A Note on Creating Default Groups
One common environment requirement is to have some sort of default group that users or hosts are added to. There are a couple of different ways to approach that.
These strategies are mutually exclusive. If an entry matches a global group, then it does match an automember group and would, therefore, not be added to the fallback group.

16.3.1. Setting an All Users/Hosts Rule

To add all users or all hosts to a single group, use an inclusive regular expression for some attribute (such as cn or fqdn) which all entries will contain.
A regular expression to match all entries is simply .*. For example, to add all hosts to the same host group:
[jsmith@server ~]$ ipa automember-add-condition --type=hostgroup allhosts --inclusive-regex=.* --key=fqdn
--------------------------------
Added condition(s) to "allhosts"
--------------------------------
  Automember Rule: allhosts
  Inclusive Regex: fqdn=.*
----------------------------
Number of conditions added 1
----------------------------
Every host added after that is automatically added to the allhosts group:
[jsmith@server ~]$ ipa host-add test.example.com
-----------------------------
Added host "test.example.com"
-----------------------------
  Host name: test.example.com
  Principal name: host/test.example.com@EXAMPLE.COM
  Password: False
  Keytab: False
  Managed by: test.example.com

[jsmith@server ~]$ ipa hostgroup-show allhosts
  Host-group: allhosts
  Description: Default hostgroup
  Member hosts: test.example.com
For more information on PCRE patterns, see the pcresyntax(3) man page.

16.3.2. Defining Default Automembership Groups

There is a special command to set a default group, automember-default-group-set. This sets the group name (--default-group) and group type(--type), similar to an automember rule, but there is no condition to match. By definition, default group members are unmatched entries.
For example:
[jsmith@server ~]$ ipa automember-default-group-set --default-group=ipaclients --type=hostgroup
[jsmith@server ~]$ ipa automember-default-group-set --default-group=ipausers --type=group
A default group rule can be removed using the automember-default-group-remove command. Since there is only one default group for a group type, it is only necessary to give the group type, not the group name:
[jsmith@server ~]$ ipa automember-default-group-remove --type=hostgroup

16.3.3. Using Automembership Groups with Windows Users

When a user is created in FreeIPA, that user is automatically added as a member to the ipausers group (which is the default group for all new users, apart from any automember group). However, when a Windows user is synced over from Active Directory, that user is not automatically added to the ipausers group.
New Windows users can be added to the ipausers group, as with users created in FreeIPA, by using an automember group. Every Windows user is added with the ntUser object class; that object class can be used as an inclusive filter to identify new Windows users to add to the automember group.
First, define the ipausers group as an automember group:
[jsmith@server ~]$ ipa automember-add --type=group ipausers
Then, use the ntUser object class as a condition to add users:
[jsmith@server ~]$ ipa automember-add-condition ipausers --key=objectclass --type=group --inclusive-regex=ntUser