See https://github.com/389ds/389-ds-base/issues/7193 and the referenced issues. It is regression in 389-ds update.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland On Tue, 20 Jan 2026, 0.12 Sven Jansen via FreeIPA-users, < [email protected]> wrote: > Hi Rob, > > okay that not easy to explain… this affects mulitple installations. > > the objects are in ldap and they work. When i log into FreeIPA UI, Users, > Group, Hosts, Sudo, Hostgroup and some other object types are total empty. > Same if i use ipa command, if i use “ipa user-find” without entering a > search term, i get nothing. If i do a specific search for an object, i find > it, except DNS, there is no way to get dns zones except you know what you > have to hack into the url to get into the zone > (/ipa/#/e/dnszone/records/zonename…), search show no zones. > > Lets give you an example, this is a server with around 20-30 Users, 10-15 > DNS zones, handful groups, sudo rules, host groups, etc., ipa1 + ipa2 sync > with each other, both authenticate users, deliver dns and certificates, so > this servers do their job until you want to find/browse something. > > > Lets do a simple query without a term > > [root@ipa1 /]# ipa user-find > --------------- > 0 users matched > --------------- > ---------------------------- > Number of entries returned 0 > ---------------------------- > > I get nothing, but users should be visible. Same behaviour in the Web UI, > nothing, all above mentions areas are empty. > > > > Now lets do a search with a term to find something specific i know > > [root@ipa1 /]# ipa user-find testuser > -------------- > 1 user matched > -------------- > User login: testuser > First name: XXX > Last name: XXX > Home directory: /home/testuser > Login shell: /usr/bin/zsh > Principal name: testuser@XXX > Principal alias: testuser@XXX > Email address: testuser@XXX > UID: 357400030 > GID: 357400030 > Account disabled: True > ---------------------------- > Number of entries returned 1 > ---------------------------- > > [root@ipa1 /]# id testuser > uid=357400030(testuser) gid=357400030(testuser) … > > Now we get something, same behaveiour in the Web GUI, search for a > existing object and you find it. > > > > Lets create a fresh object, like a user, could also be a group or dns > zone, doesnt matter, outcome is the same > > [root@ipa1 /]# ipa user-add > First name: demo > Last name: user > User login [duser]: duser > ------------------ > Added user "duser" > ------------------ > User login: duser > First name: demo > Last name: user > Full name: demo user > Display name: demo user > Initials: du > Home directory: /home/duser > GECOS: demo user > Login shell: /usr/bin/zsh > Principal name: duser@XXX > Principal alias: duser@XXX > Email address: duser@XXX > UID: 357400068 > GID: 357400068 > Password: False > Member of groups: ipausers > Kerberos keys available: False > > Now again search with no search term > > [root@ipa1 /]# ipa user-find > -------------- > 1 user matched > -------------- > User login: duser > First name: demo > Last name: user > Home directory: /home/duser > Login shell: /usr/bin/zsh > Principal name: duser@xxx > Principal alias: duser@xxx > Email address: duser@xxx > UID: 357400068 > GID: 357400068 > Account disabled: False > ---------------------------- > Number of entries returned 1 > ---------------------------- > > Now we see a result without searching for something specific and this also > works in the Web UI, it just show this new user in the users tab, not the > other ~30 or the testuser i search for above. > > > > Conclusion: no data in LDAP is missing, the api (used by Web UI and ipa > command) is unable to show existing “old” objects until i search specificly > for an known object, all new generated objects are always visible/listed. > This is of course really bad, if you dont know what to search for, you cant > find anything this way. > > This is not just this installation, another standalone installation on a > customer site behave like this, and just now, i found this also affects my > private system. So three installation in total. All Installation are based > on RHEL 8.10 or AlmaLinux 8.10. IPA on all systems is 4.9.13-20. > > This issue first appeared ~1 weeks ago and like the OP, the impact is > visible after a reboot. > > > > Sven > > > Am Montag, Januar 19, 2026 19:12 CET, schrieb Rob Crittenden < > [email protected]>: > > > > Sven Jansen via FreeIPA-users wrote: > > Hi, > > > > I see the same problem on my IPA installations for around one or two > > weeks now. All affected machines run FreeIPA 4.9.13-20. > > > > * one machine is a RHEL 8.10 standalone deployment > > * two machines are AlmaLinux 8.10 sync between each other > > * All instances have the full capability, DNS, Certificate Authority > > and acme. > > > > These installations are not related and in different companys. On the > > first RHEL machine, users are listed, groups are not, some other object > > types are missing, you can find objects by searching for the name, same > > with ipa find-user. Fresh created users/group/hosts work fine and show > > up in Web interface and ipa find-user. > > Can you be more precise? Users are listed where? Through SSSD/nss? Via > the command-line/UI tools? Are they in LDAP? > > In what context is this happening? Did it start out of the blue or after > something was done? It may even be something that seems benign. > > > > > On the second pair (running AlmaLinux), its a bit different, no users, > > groups, hosts, sudo rules etc. are shown, only fresh created objects > > show up by using the Web interface or using ipa command. DNS is a bit > > different, on IPA1, all DNS zones are visible, on IPA2, no zones are > > visible, except i create a new zone. Luckly i still can see all zones on > > IPA1. Searching for DNS zones on IPA2 does not work, but i can reach the > > zone by changing the url to “/ipa/ui/#/e/dnszone/records/mydomain.com” > > on IPA2, so they are there and accessible. > > > > I tried to edit existing objects to see if they pop up, but no luck. I > > ran ipa-server-upgrade to see if some migration is missing, but it > > finish without issue and the problem persist. > > > > No issues with DNS lookups, getting certs or provide authentication, > > just searching/showing objects is broken I have no clue how to fix that, > > i can see no “useful” information in my slapd logs or i dont know what > > to lock for. > > > > > > How are you authenticating? If no users exist then its quite surprising > that you can authenticate. Do you see them in LDAP? > > rob > > > > > > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
