[Freeipa-users] Searching for things in the UI no longer seems to work, neither does ipa host-find or hostgroup-find after schema upgrade to dogtag 10

Wed Oct 7 11:26:43 UTC 2015

On 07/10/15 11:31, Martin Basti wrote:
>
>
> On 10/07/2015 12:28 PM, Martin Basti wrote:
>>
>>
>> On 10/07/2015 12:10 PM, Alex Williams wrote:
>>> On 07/10/15 10:57, Martin Basti wrote:
>>>>
>>>>
>>>> On 10/07/2015 11:23 AM, Alex Williams wrote:
>>>>> On 07/10/15 09:53, Martin Basti wrote:
>>>>>>
>>>>>>
>>>>>> On 10/07/2015 09:49 AM, Alex Williams wrote:
>>>>>>> Hi guys,
>>>>>>>
>>>>>>> yesterday I finally managed to get our IPA3.0.0 servers in a 
>>>>>>> state that I could upgrade the schema to dogtag 10, using the 
>>>>>>> migration script and launched a new RHEL7.1 IPA4.1 server as a 
>>>>>>> replica. Unfortunately, in both the new RHEL7.1 IPA4.1 server 
>>>>>>> AND the old RHEL6.6 IPA3.0.0 server that I replicated from (Also 
>>>>>>> happens to be our CRL master), I can no longer search for hosts 
>>>>>>> or DNS entries, or host groups, either in the UI, or on the 
>>>>>>> command line.
>>>>>>>
>>>>>>> They're there, they show up when you go to the hosts, dns or 
>>>>>>> user page in a list, but you cannot then refine the search. This 
>>>>>>> is also true of ipa host-find and ipa hostgroup-find on the 
>>>>>>> command line. Is this a bug in IPA4.1? Is it a schema issue? Is 
>>>>>>> it just because we still have an IPA3 server running the show 
>>>>>>> and an IPA4 replica? I can't really justify dropping our 
>>>>>>> production IPA3 servers, if searching for records doesn't work 
>>>>>>> in IPA4.1.
>>>>>>>
>>>>>>> I still appear to be able to search in the UI of one of our 
>>>>>>> other IPA3 servers, despite the fact it has had its schema 
>>>>>>> updated and it has been connected to the new IPA4 server.
>>>>>>>
>>>>>>> Thanks in advance for any help anyone can offer.
>>>>>>>
>>>>>>> Cheers
>>>>>>>
>>>>>>> Alex
>>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> can you provide more info please:
>>>>>>
>>>>>> * are you kinited as admin user?
>>>>>> * does ipa dnszone-find returns all results?
>>>>>> * does ipa dnszone-find <name of zone> return something?
>>>>>> * does ipa dnszone-show <name of zone> return the zone?
>>>>>>
>>>>>> We had issue with access control, where non admin users cannot 
>>>>>> search for zones, I'm not sure about hosts, and host groups.
>>>>>> I do not think that this is a schema upgrade issue nor related to 
>>>>>> Dogtag 10.
>>>>>>
>>>>>> Martin
>>>>>
>>>>> Hi Martin,
>>>>>
>>>>> thanks for the quick response. So, I have not kinited as the admin 
>>>>> user, however as root and as my own username (A member of the 
>>>>> admins group in IPA), all of the commands you requested that I 
>>>>> test, work fine. As it turns out, I can run all of the following 
>>>>> on the command line, as my user, or as root and it all works fine. 
>>>>> My colleague who attempted to do so this morning under his 
>>>>> username, can do so if he kinits to admin. So I'm assuming the CLI 
>>>>> bit, might be an ACL issue? Unfortunately, my user still cannot 
>>>>> search for hosts, hostgroups, or DNS entries within the UI.
>>>>>
>>>>> ipa user-find - returns a list of 100 users
>>>>> ipa user-find $username - returns the details of that user
>>>>> ipa host-find returns a list of 100 hosts
>>>>> ipa host-find $hostname - returns the details of the host
>>>>> ipa host-find $partial-hostname - returns a list of hosts which 
>>>>> have the search string inside their hostname
>>>>> ipa hostgroup-find - returns a list of hostgroups
>>>>> ipa hostgroup-find $hostgroupname - returns details of the hostgroup
>>>>>
>>>>> Regards
>>>>>
>>>>> Alex
>>>>
>>>> If I understand correctly, you as admin group user, can search in 
>>>> CLI and cannot search in webUI? That is weird.
>>>>
>>>> For CLI part, IIRC this bug has been fixed in IPA 4.2, ACI in DS 
>>>> disallow some queries from user that are not in admin group.
>>>>
>>>> Martin
>>>
>>> Hi Martin,
>>>
>>> yes, that's exactly right, we seem to be able to search in the CLI, 
>>> provided we're in the admin group, or kinit to the admin user. For 
>>> some reason though, searching in the UI brings back nothing at all. 
>>> It works ok for users, but not for hosts, hostgroups, or DNS 
>>> entries. All of the entries are there, they are listed in full when 
>>> you visit the respective page, but even searching for a full 
>>> hostname doesn't work, let alone part of it. CLI is always an option 
>>> obviously, but we don't really want everyone who uses this to have 
>>> to use the CLI, just to search for a hostname or DNS entry.
>> Please login in webUI as admin and try search, in this case search 
>> should work, if not, there is something broken.
>>
>> I found related tickets:
>> https://fedorahosted.org/freeipa/ticket/5055
>> https://fedorahosted.org/freeipa/ticket/5130
>>
>> But I found nothing about hosts and hostsgroup, I will prepare test 
>> environment and try.
> Nevermind, here is hosts/hostgroup/service/netgroup ticket 
> https://fedorahosted.org/freeipa/ticket/5167
>>>
>>> I've also verified that replication of things like hosts and DNS 
>>> entries is working perfectly well between the IPA4 and IPA3 servers. 
>>> If I add a new DNS entry in IPA3, it shows up immediately in IPA4 
>>> and I can then delete it in IPA4 and it's removed instantly from the 
>>> IPA3 server.
>>>
>>> Cheers
>>>
>>> Alex
>>>
>>
>

Hi Martin,

thanks for that, that does in fact seem to be the issue. As per your 
instructions, logging in as 'admin' to the UI, allows the search feature 
to work. That does beg the question as to how my user can use its 
kerberos ticket on the CLI, but not in the UI though? Either way, the 
fix for the issue looks to be trivial (Replacing a few python files by 
the looks of things), so I'll give that a go and at worst, I guess we 
may have to wait until RHEL7.2 becomes a release and we'll upgrade to that.

Cheers

Alex