[Freeipa-users] Searching for things in the UI no longer seems to work, neither does ipa host-find or hostgroup-find after schema upgrade to dogtag 10

Alex Williams alex.williams at brighter-technology.com
Wed Oct 7 09:23:18 UTC 2015 

On 07/10/15 09:53, Martin Basti wrote:
>
>
> On 10/07/2015 09:49 AM, Alex Williams wrote:
>> Hi guys,
>>
>> yesterday I finally managed to get our IPA3.0.0 servers in a state 
>> that I could upgrade the schema to dogtag 10, using the migration 
>> script and launched a new RHEL7.1 IPA4.1 server as a replica. 
>> Unfortunately, in both the new RHEL7.1 IPA4.1 server AND the old 
>> RHEL6.6 IPA3.0.0 server that I replicated from (Also happens to be 
>> our CRL master), I can no longer search for hosts or DNS entries, or 
>> host groups, either in the UI, or on the command line.
>>
>> They're there, they show up when you go to the hosts, dns or user 
>> page in a list, but you cannot then refine the search. This is also 
>> true of ipa host-find and ipa hostgroup-find on the command line. Is 
>> this a bug in IPA4.1? Is it a schema issue? Is it just because we 
>> still have an IPA3 server running the show and an IPA4 replica? I 
>> can't really justify dropping our production IPA3 servers, if 
>> searching for records doesn't work in IPA4.1.
>>
>> I still appear to be able to search in the UI of one of our other 
>> IPA3 servers, despite the fact it has had its schema updated and it 
>> has been connected to the new IPA4 server.
>>
>> Thanks in advance for any help anyone can offer.
>>
>> Cheers
>>
>> Alex
>>
> Hello,
>
> can you provide more info please:
>
> * are you kinited as admin user?
> * does ipa dnszone-find returns all results?
> * does ipa dnszone-find <name of zone> return something?
> * does ipa dnszone-show <name of zone> return the zone?
>
> We had issue with access control, where non admin users cannot search 
> for zones, I'm not sure about hosts, and host groups.
> I do not think that this is a schema upgrade issue nor related to 
> Dogtag 10.
>
> Martin

Hi Martin,

thanks for the quick response. So, I have not kinited as the admin user, 
however as root and as my own username (A member of the admins group in 
IPA), all of the commands you requested that I test, work fine. As it 
turns out, I can run all of the following on the command line, as my 
user, or as root and it all works fine. My colleague who attempted to do 
so this morning under his username, can do so if he kinits to admin. So 
I'm assuming the CLI bit, might be an ACL issue? Unfortunately, my user 
still cannot search for hosts, hostgroups, or DNS entries within the UI.

ipa user-find - returns a list of 100 users
ipa user-find $username - returns the details of that user
ipa host-find returns a list of 100 hosts
ipa host-find $hostname - returns the details of the host
ipa host-find $partial-hostname - returns a list of hosts which have the 
search string inside their hostname
ipa hostgroup-find - returns a list of hostgroups
ipa hostgroup-find $hostgroupname - returns details of the hostgroup

Regards

Alex

More information about the Freeipa-users mailing list