[Freeipa-users] Web UI: Migrated Admins missing action buttons

Sat Apr 25 13:08:07 UTC 2015

On 04/25/2015 03:12 AM, Christopher Lamb wrote:
> Hi Rob and Dimitri
>
> Migrating via Replica is the obvious way that I would have gone, had the
> FreeIPA /RedHat documentation not suggested the replicas must have the same
> version.
>
> I think the link that put me off from replicating was:
>
> http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication-Creating_the_Replica_Information_File.html
>
> Looking at the link more closely I now see this applies to version
> 1.2 ....., but from the page itself that was not obvious. it would be great
> if the version to which the IPA documentation applies was more obvious....
> I am sure I am not the only user who enters the documentation via a search
> engine.
>
> The missing buttons turns out to be down to the fact that the admin group
> was not migrated, as it is present on both old and new, so while the "old"
> admin users were migrated (together with membership of all other groups),
> they were not added to the admin group on the new instance. I should have
> realised this sooner!
>
> # ipa user-show xxxx
>    User login: xxxx
>    .....
>    Member of groups: smb-delivery, smb-fssadmin, ipausers, smb-development,
> smb-software, smb-all, smb-implementation, dba, users
> # ipa user-show admin
>    .....
>    Member of groups: ipausers, trust admins, adminonly, admins
>
> Adding "old" admin user xxxx via cli:
>
> # ipa group-add-member admins --users=xxxx
>
> # ipa user-show xxxx
>     ....
>    Member of groups: smb-delivery, smb-fssadmin, ipausers, smb-development,
> smb-software, admins, smb-all, smb-implementation, dba, users
>
> I guess that when the Web UI decides to cooperate, and let me in without
> "your session has expired" error (see other ticket), I will have the
> missing buttons....
>
> Thanks for the help
>
> Chris
>
>
>
>
> From:	Rob Crittenden <rcritten at redhat.com>
> To:	dpal at redhat.com, freeipa-users at redhat.com
> Date:	25.04.2015 07:05
> Subject:	Re: [Freeipa-users] Web UI: Migrated Admins missing action
>              buttons
> Sent by:	freeipa-users-bounces at redhat.com
>
>
>
> Dmitri Pal wrote:
>> On 04/24/2015 12:58 PM, Christopher Lamb wrote:
>>> Hi
>>>
>>> I am in the process of setting up and configuring a FreeIPA Server
> 4.1.0.
>>> I have successfully migrated all the users from an existing FreeIPA
>>> Server
>>> 3.0.0 with the following command:
>>>
>>> ipa migrate-ds --group-overwrite-gid
>>> --user-container='cn=users,cn=accounts'
>>> --group-container='cn=groups,cn=accounts' ldap://<ldap url of new
>>> server>:389
>>>
>>> When I log into the 4.1.0 Web UI, with the default "admin" user, on the
>>> Identity/Users overview page, I have buttons for Delete, Add, Enable,
>>> Disable etc.
>>>
>>> If I log in with an imported admin user, these buttons are missing.
>>>
>>> If I log into the old 3.0.0 Web UI, these buttons are available with
> both
>>> users.
>> This is most likely because the permissions changed in 4.0 and old admin
>> does not have the privileges that are now default in 4.1.
> He migrated rather than upgrading so this doesn't apply.
>
> So the question is: why did you migrate and not create a replica with
> 4.x and migrate that way?
>
> One needs to be a member of the admins group to be an admin, I'd start
> there.
>
>>> p.s. it would be great if the syntax for an IPA "old" to IPA "new"
>>> migration using ipa migrate-ds was included in the IPA documentation.
>>> I had
>>> to dig deep in the migration.py script to find the accepted format .....
> There is a ticket for this but the expected upgrade path is to install a
> replica on the new version and once things are confirmed to be working,
> decommission the older ones.
>
> rob
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>
I do not know what we can do about the old documentation.
It is there but we can't prevent users from finding it.
We communicated several times on the list and wiki that the most up to 
date documentation to use in the on the Red Hat documentation portal [1] 
as we do no have resources to maintain upstream and downstream versions 
of the documentation at the same time. It is better to have one up to 
date set of documentation than to have two incomplete ones.

[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/ 
(see bottom of the page)

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.