[Freeipa-users] Searching for things in the UI no longer seems to work, neither does ipa host-find or hostgroup-find after schema upgrade to dogtag 10

Martin Basti mbasti at redhat.com
Wed Oct 7 10:31:24 UTC 2015 


On 10/07/2015 12:28 PM, Martin Basti wrote:
>
>
> On 10/07/2015 12:10 PM, Alex Williams wrote:
>> On 07/10/15 10:57, Martin Basti wrote:
>>>
>>>
>>> On 10/07/2015 11:23 AM, Alex Williams wrote:
>>>> On 07/10/15 09:53, Martin Basti wrote:
>>>>>
>>>>>
>>>>> On 10/07/2015 09:49 AM, Alex Williams wrote:
>>>>>> Hi guys,
>>>>>>
>>>>>> yesterday I finally managed to get our IPA3.0.0 servers in a 
>>>>>> state that I could upgrade the schema to dogtag 10, using the 
>>>>>> migration script and launched a new RHEL7.1 IPA4.1 server as a 
>>>>>> replica. Unfortunately, in both the new RHEL7.1 IPA4.1 server AND 
>>>>>> the old RHEL6.6 IPA3.0.0 server that I replicated from (Also 
>>>>>> happens to be our CRL master), I can no longer search for hosts 
>>>>>> or DNS entries, or host groups, either in the UI, or on the 
>>>>>> command line.
>>>>>>
>>>>>> They're there, they show up when you go to the hosts, dns or user 
>>>>>> page in a list, but you cannot then refine the search. This is 
>>>>>> also true of ipa host-find and ipa hostgroup-find on the command 
>>>>>> line. Is this a bug in IPA4.1? Is it a schema issue? Is it just 
>>>>>> because we still have an IPA3 server running the show and an IPA4 
>>>>>> replica? I can't really justify dropping our production IPA3 
>>>>>> servers, if searching for records doesn't work in IPA4.1.
>>>>>>
>>>>>> I still appear to be able to search in the UI of one of our other 
>>>>>> IPA3 servers, despite the fact it has had its schema updated and 
>>>>>> it has been connected to the new IPA4 server.
>>>>>>
>>>>>> Thanks in advance for any help anyone can offer.
>>>>>>
>>>>>> Cheers
>>>>>>
>>>>>> Alex
>>>>>>
>>>>> Hello,
>>>>>
>>>>> can you provide more info please:
>>>>>
>>>>> * are you kinited as admin user?
>>>>> * does ipa dnszone-find returns all results?
>>>>> * does ipa dnszone-find <name of zone> return something?
>>>>> * does ipa dnszone-show <name of zone> return the zone?
>>>>>
>>>>> We had issue with access control, where non admin users cannot 
>>>>> search for zones, I'm not sure about hosts, and host groups.
>>>>> I do not think that this is a schema upgrade issue nor related to 
>>>>> Dogtag 10.
>>>>>
>>>>> Martin
>>>>
>>>> Hi Martin,
>>>>
>>>> thanks for the quick response. So, I have not kinited as the admin 
>>>> user, however as root and as my own username (A member of the 
>>>> admins group in IPA), all of the commands you requested that I 
>>>> test, work fine. As it turns out, I can run all of the following on 
>>>> the command line, as my user, or as root and it all works fine. My 
>>>> colleague who attempted to do so this morning under his username, 
>>>> can do so if he kinits to admin. So I'm assuming the CLI bit, might 
>>>> be an ACL issue? Unfortunately, my user still cannot search for 
>>>> hosts, hostgroups, or DNS entries within the UI.
>>>>
>>>> ipa user-find - returns a list of 100 users
>>>> ipa user-find $username - returns the details of that user
>>>> ipa host-find returns a list of 100 hosts
>>>> ipa host-find $hostname - returns the details of the host
>>>> ipa host-find $partial-hostname - returns a list of hosts which 
>>>> have the search string inside their hostname
>>>> ipa hostgroup-find - returns a list of hostgroups
>>>> ipa hostgroup-find $hostgroupname - returns details of the hostgroup
>>>>
>>>> Regards
>>>>
>>>> Alex
>>>
>>> If I understand correctly, you as admin group user, can search in 
>>> CLI and cannot search in webUI? That is weird.
>>>
>>> For CLI part, IIRC this bug has been fixed in IPA 4.2, ACI in DS 
>>> disallow some queries from user that are not in admin group.
>>>
>>> Martin
>>
>> Hi Martin,
>>
>> yes, that's exactly right, we seem to be able to search in the CLI, 
>> provided we're in the admin group, or kinit to the admin user. For 
>> some reason though, searching in the UI brings back nothing at all. 
>> It works ok for users, but not for hosts, hostgroups, or DNS entries. 
>> All of the entries are there, they are listed in full when you visit 
>> the respective page, but even searching for a full hostname doesn't 
>> work, let alone part of it. CLI is always an option obviously, but we 
>> don't really want everyone who uses this to have to use the CLI, just 
>> to search for a hostname or DNS entry.
> Please login in webUI as admin and try search, in this case search 
> should work, if not, there is something broken.
>
> I found related tickets:
> https://fedorahosted.org/freeipa/ticket/5055
> https://fedorahosted.org/freeipa/ticket/5130
>
> But I found nothing about hosts and hostsgroup, I will prepare test 
> environment and try.
Nevermind, here is hosts/hostgroup/service/netgroup ticket 
https://fedorahosted.org/freeipa/ticket/5167
>>
>> I've also verified that replication of things like hosts and DNS 
>> entries is working perfectly well between the IPA4 and IPA3 servers. 
>> If I add a new DNS entry in IPA3, it shows up immediately in IPA4 and 
>> I can then delete it in IPA4 and it's removed instantly from the IPA3 
>> server.
>>
>> Cheers
>>
>> Alex
>>
>

More information about the Freeipa-users mailing list