25.2. Defining Automembership Rules (Basic Procedure)

25.2.1. From the Web UI

  1. Open the Policy tab, and select the Automembers subtab.
  2. In the top of the Automembers area, select the type of autogroup to create, either USER GROUP RULES or HOST GROUP RULES.
  3. In the drop-down menu, select the group for which to create the automember rule.
  4. Click the Add and Edit button.
  5. In the edit page for the rule, click the + Add by the type of condition to create to identify entries.
  6. Select the attribute to use as the basis for the search and then set the regular expression to use to match the attribute value.
    Conditions can look for entries either to include in the group or to explicitly exclude from the group. The format of a condition is a Perl-compatible regular expression (PCRE). For more information on PCRE patterns, see the pcresyntax(3) man page.

    Note

    Exclude conditions are evaluated first and take precedence over include conditions.
  7. Click Add and Add Another to add another condition. A single rule can have multiple include and exclude conditions. When all conditions have been configured, click the Add button to save the last condition and close the dialog window.

25.2.2. From the CLI

There are two commands used to define an automember rule:
  • A command to target the group as an automember group, automember-add
  • A command to add regular expression conditions to identify group members, automember-add-condition
For example:
  1. Create the automember rule entry for the group. Use the --type to identify whether the target group is a user group (group) or a host group (hostgroup). This command has the format:
    ipa automember-add --type=group|hostgroup groupName
    For example:
    [jsmith@server ~]$ ipa automember-add --type=group exampleGroup
  2. Create the conditions for the rule. To set multiple patterns, either give a comma-separated list of patterns in the --inclusive-regex|--exclusive-regex options or run the command multiple times.
    This command has the format:
    ipa automember-add-condition --type=group|hostgroup --key=attribute --inclusive-regex=regex | --exclusive-regex=regex groupName
    As with the automember rule, the condition must specify the type of group (--type) and the name of the target group (groupName).
    The condition must also specify the attribute (the key) and any patterns for the attribute value. The --key is the attribute name that is the focus of the condition. Then, there is a regular expression pattern to identify matching values; matching entries can either be included (--inclusive-regex) or excluded (--exclusive-regex) from the group. Exclusion rules take precedence.
    For example, to include all employees with Barbara Jensen as a manager, but excluding the temporary employees:
    [jsmith@server ~]$ ipa automember-add-condition --type=group --key=manager --inclusive-regex=^uid=bjensen$ exampleGroup
    [jsmith@server ~]$ ipa automember-add-condition --type=group --key=employeetype --exclusive-regex=^temp exampleGroup

    Note

    The regular expression can match any part of the string. Using a caret (^) means that it must match at the beginning, and using a dollar sign ($) means that it must match at the end. Wrapping the pattern in ^ and $ means that the string as a whole must match.
    For more information on Perl-compatible regular expression (PCRE) patterns, see the pcresyntax(3) man page.
To remove a condition for a rule, pass the full condition information, both the key and the regular expression:
[jsmith@server ~]$ ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers
To remove the entire rule, simply run the automember-del command.