[Freeipa-users] Directory Search Question
Martin Kosek
mkosek at redhat.com
Mon Mar 21 08:26:30 UTC 2016
On 03/18/2016 09:21 PM, Randy Morgan wrote:
> We have a FreeIPA Version 4.2 production installation that seems to have a
> limitation we cannot figure out how to overcome. Users cannot search, from the
> gui, for a specific user. The only users who can perform a search for a
> specific user are full-admins, everyone else the search option does not
> respond, meaning that if you click on the magnifying glass, nothing happens.
> We have a large number of groups, and they are managed by the group owner, who
> needs to be able to do a user search. This appears to be a permissions issue,
> but we are not sure what we need to change to make it so that we can assign
> search capability to specific user groups. Any help would be greatly appreciated.
Hello Randy,
What permissions have you defined to allow your group admins to administer the
groups?
On my RHEL-7.2 machine, I tried setting up delegation like that:
# kinit admin
Password for admin at RHEL72:
# ipa group-add lab
# ipa permission-add --type group --right write --filter "(cn=lab)" --attrs
member can_manage_lab
# ipa user-add --first Lab --last Admin labadmin
# ipa passwd labadmin
# ipa role-add labadmin
# ipa privilege-add labadmin
# ipa role-add-member labadmin --users labadmin
# ipa role-add-privilege labadmin --privilege labadmin
# ipa privilege-add-permission labadmin --permissions labadmin
# ipa privilege-add-permission labadmin --permissions can_manage_lab
# ipa user-show labadmin
...
Roles: labadmin
# ipa user-add --first Lab --last User labuser1
# ipa user-add --first Lab --last User labuser2
# kinit labadmin
Password for labadmin at RHEL72:
Password expired. You must change it now.
Enter new password:
Enter it again:
# ipa group-add-member lab --users labuser1
Group name: lab
GID: 632400001
Member users: labuser1
-------------------------
Number of members added 1
-------------------------
When I tried to achieve similar with labadmin on
https://ipa.rhel72/ipa/ui/#/e/group/member_user/lab
it worked for me as well and I was able to manage lab group members in the UI.
HTH,
Martin
More information about the Freeipa-users
mailing list