Re: [Freeipa-users] Searching for things in the UI no longer seems to work, neither does ipa host-find or hostgroup-find after schema upgrade to dogtag 10
On 10/07/2015 09:49 AM, Alex Williams wrote: Hi guys, yesterday I finally managed to get our IPA3.0.0 servers in a state that I could upgrade the schema to dogtag 10, using the migration script and launched a new RHEL7.1 IPA4.1 server as a replica. Unfortunately, in both the new RHEL7.1 IPA4.1 server AND the old RHEL6.6 IPA3.0.0 server that I replicated from (Also happens to be our CRL master), I can no longer search for hosts or DNS entries, or host groups, either in the UI, or on the command line. They're there, they show up when you go to the hosts, dns or user page in a list, but you cannot then refine the search. This is also true of ipa host-find and ipa hostgroup-find on the command line. Is this a bug in IPA4.1? Is it a schema issue? Is it just because we still have an IPA3 server running the show and an IPA4 replica? I can't really justify dropping our production IPA3 servers, if searching for records doesn't work in IPA4.1. I still appear to be able to search in the UI of one of our other IPA3 servers, despite the fact it has had its schema updated and it has been connected to the new IPA4 server. Thanks in advance for any help anyone can offer. Cheers Alex Hello, can you provide more info please: * are you kinited as admin user? * does ipa dnszone-find returns all results? * does ipa dnszone-find return something? * does ipa dnszone-show return the zone? We had issue with access control, where non admin users cannot search for zones, I'm not sure about hosts, and host groups. I do not think that this is a schema upgrade issue nor related to Dogtag 10. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Searching for things in the UI no longer seems to work, neither does ipa host-find or hostgroup-find after schema upgrade to dogtag 10
On 10/07/2015 12:28 PM, Martin Basti wrote: On 10/07/2015 12:10 PM, Alex Williams wrote: On 07/10/15 10:57, Martin Basti wrote: On 10/07/2015 11:23 AM, Alex Williams wrote: On 07/10/15 09:53, Martin Basti wrote: On 10/07/2015 09:49 AM, Alex Williams wrote: Hi guys, yesterday I finally managed to get our IPA3.0.0 servers in a state that I could upgrade the schema to dogtag 10, using the migration script and launched a new RHEL7.1 IPA4.1 server as a replica. Unfortunately, in both the new RHEL7.1 IPA4.1 server AND the old RHEL6.6 IPA3.0.0 server that I replicated from (Also happens to be our CRL master), I can no longer search for hosts or DNS entries, or host groups, either in the UI, or on the command line. They're there, they show up when you go to the hosts, dns or user page in a list, but you cannot then refine the search. This is also true of ipa host-find and ipa hostgroup-find on the command line. Is this a bug in IPA4.1? Is it a schema issue? Is it just because we still have an IPA3 server running the show and an IPA4 replica? I can't really justify dropping our production IPA3 servers, if searching for records doesn't work in IPA4.1. I still appear to be able to search in the UI of one of our other IPA3 servers, despite the fact it has had its schema updated and it has been connected to the new IPA4 server. Thanks in advance for any help anyone can offer. Cheers Alex Hello, can you provide more info please: * are you kinited as admin user? * does ipa dnszone-find returns all results? * does ipa dnszone-find return something? * does ipa dnszone-show return the zone? We had issue with access control, where non admin users cannot search for zones, I'm not sure about hosts, and host groups. I do not think that this is a schema upgrade issue nor related to Dogtag 10. Martin Hi Martin, thanks for the quick response. So, I have not kinited as the admin user, however as root and as my own username (A member of the admins group in IPA), all of the commands you requested that I test, work fine. As it turns out, I can run all of the following on the command line, as my user, or as root and it all works fine. My colleague who attempted to do so this morning under his username, can do so if he kinits to admin. So I'm assuming the CLI bit, might be an ACL issue? Unfortunately, my user still cannot search for hosts, hostgroups, or DNS entries within the UI. ipa user-find - returns a list of 100 users ipa user-find $username - returns the details of that user ipa host-find returns a list of 100 hosts ipa host-find $hostname - returns the details of the host ipa host-find $partial-hostname - returns a list of hosts which have the search string inside their hostname ipa hostgroup-find - returns a list of hostgroups ipa hostgroup-find $hostgroupname - returns details of the hostgroup Regards Alex If I understand correctly, you as admin group user, can search in CLI and cannot search in webUI? That is weird. For CLI part, IIRC this bug has been fixed in IPA 4.2, ACI in DS disallow some queries from user that are not in admin group. Martin Hi Martin, yes, that's exactly right, we seem to be able to search in the CLI, provided we're in the admin group, or kinit to the admin user. For some reason though, searching in the UI brings back nothing at all. It works ok for users, but not for hosts, hostgroups, or DNS entries. All of the entries are there, they are listed in full when you visit the respective page, but even searching for a full hostname doesn't work, let alone part of it. CLI is always an option obviously, but we don't really want everyone who uses this to have to use the CLI, just to search for a hostname or DNS entry. Please login in webUI as admin and try search, in this case search should work, if not, there is something broken. I found related tickets: https://fedorahosted.org/freeipa/ticket/5055 https://fedorahosted.org/freeipa/ticket/5130 But I found nothing about hosts and hostsgroup, I will prepare test environment and try. Nevermind, here is hosts/hostgroup/service/netgroup ticket https://fedorahosted.org/freeipa/ticket/5167 I've also verified that replication of things like hosts and DNS entries is working perfectly well between the IPA4 and IPA3 servers. If I add a new DNS entry in IPA3, it shows up immediately in IPA4 and I can then delete it in IPA4 and it's removed instantly from the IPA3 server. Cheers Alex -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Searching for things in the UI no longer seems to work, neither does ipa host-find or hostgroup-find after schema upgrade to dogtag 10
On 07/10/15 10:57, Martin Basti wrote: On 10/07/2015 11:23 AM, Alex Williams wrote: On 07/10/15 09:53, Martin Basti wrote: On 10/07/2015 09:49 AM, Alex Williams wrote: Hi guys, yesterday I finally managed to get our IPA3.0.0 servers in a state that I could upgrade the schema to dogtag 10, using the migration script and launched a new RHEL7.1 IPA4.1 server as a replica. Unfortunately, in both the new RHEL7.1 IPA4.1 server AND the old RHEL6.6 IPA3.0.0 server that I replicated from (Also happens to be our CRL master), I can no longer search for hosts or DNS entries, or host groups, either in the UI, or on the command line. They're there, they show up when you go to the hosts, dns or user page in a list, but you cannot then refine the search. This is also true of ipa host-find and ipa hostgroup-find on the command line. Is this a bug in IPA4.1? Is it a schema issue? Is it just because we still have an IPA3 server running the show and an IPA4 replica? I can't really justify dropping our production IPA3 servers, if searching for records doesn't work in IPA4.1. I still appear to be able to search in the UI of one of our other IPA3 servers, despite the fact it has had its schema updated and it has been connected to the new IPA4 server. Thanks in advance for any help anyone can offer. Cheers Alex Hello, can you provide more info please: * are you kinited as admin user? * does ipa dnszone-find returns all results? * does ipa dnszone-find return something? * does ipa dnszone-show return the zone? We had issue with access control, where non admin users cannot search for zones, I'm not sure about hosts, and host groups. I do not think that this is a schema upgrade issue nor related to Dogtag 10. Martin Hi Martin, thanks for the quick response. So, I have not kinited as the admin user, however as root and as my own username (A member of the admins group in IPA), all of the commands you requested that I test, work fine. As it turns out, I can run all of the following on the command line, as my user, or as root and it all works fine. My colleague who attempted to do so this morning under his username, can do so if he kinits to admin. So I'm assuming the CLI bit, might be an ACL issue? Unfortunately, my user still cannot search for hosts, hostgroups, or DNS entries within the UI. ipa user-find - returns a list of 100 users ipa user-find $username - returns the details of that user ipa host-find returns a list of 100 hosts ipa host-find $hostname - returns the details of the host ipa host-find $partial-hostname - returns a list of hosts which have the search string inside their hostname ipa hostgroup-find - returns a list of hostgroups ipa hostgroup-find $hostgroupname - returns details of the hostgroup Regards Alex If I understand correctly, you as admin group user, can search in CLI and cannot search in webUI? That is weird. For CLI part, IIRC this bug has been fixed in IPA 4.2, ACI in DS disallow some queries from user that are not in admin group. Martin Hi Martin, yes, that's exactly right, we seem to be able to search in the CLI, provided we're in the admin group, or kinit to the admin user. For some reason though, searching in the UI brings back nothing at all. It works ok for users, but not for hosts, hostgroups, or DNS entries. All of the entries are there, they are listed in full when you visit the respective page, but even searching for a full hostname doesn't work, let alone part of it. CLI is always an option obviously, but we don't really want everyone who uses this to have to use the CLI, just to search for a hostname or DNS entry. I've also verified that replication of things like hosts and DNS entries is working perfectly well between the IPA4 and IPA3 servers. If I add a new DNS entry in IPA3, it shows up immediately in IPA4 and I can then delete it in IPA4 and it's removed instantly from the IPA3 server. Cheers Alex -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Searching for things in the UI no longer seems to work, neither does ipa host-find or hostgroup-find after schema upgrade to dogtag 10
On 10/07/2015 01:26 PM, Alex Williams wrote: On 07/10/15 11:31, Martin Basti wrote: On 10/07/2015 12:28 PM, Martin Basti wrote: On 10/07/2015 12:10 PM, Alex Williams wrote: On 07/10/15 10:57, Martin Basti wrote: On 10/07/2015 11:23 AM, Alex Williams wrote: On 07/10/15 09:53, Martin Basti wrote: On 10/07/2015 09:49 AM, Alex Williams wrote: Hi guys, yesterday I finally managed to get our IPA3.0.0 servers in a state that I could upgrade the schema to dogtag 10, using the migration script and launched a new RHEL7.1 IPA4.1 server as a replica. Unfortunately, in both the new RHEL7.1 IPA4.1 server AND the old RHEL6.6 IPA3.0.0 server that I replicated from (Also happens to be our CRL master), I can no longer search for hosts or DNS entries, or host groups, either in the UI, or on the command line. They're there, they show up when you go to the hosts, dns or user page in a list, but you cannot then refine the search. This is also true of ipa host-find and ipa hostgroup-find on the command line. Is this a bug in IPA4.1? Is it a schema issue? Is it just because we still have an IPA3 server running the show and an IPA4 replica? I can't really justify dropping our production IPA3 servers, if searching for records doesn't work in IPA4.1. I still appear to be able to search in the UI of one of our other IPA3 servers, despite the fact it has had its schema updated and it has been connected to the new IPA4 server. Thanks in advance for any help anyone can offer. Cheers Alex Hello, can you provide more info please: * are you kinited as admin user? * does ipa dnszone-find returns all results? * does ipa dnszone-find return something? * does ipa dnszone-show return the zone? We had issue with access control, where non admin users cannot search for zones, I'm not sure about hosts, and host groups. I do not think that this is a schema upgrade issue nor related to Dogtag 10. Martin Hi Martin, thanks for the quick response. So, I have not kinited as the admin user, however as root and as my own username (A member of the admins group in IPA), all of the commands you requested that I test, work fine. As it turns out, I can run all of the following on the command line, as my user, or as root and it all works fine. My colleague who attempted to do so this morning under his username, can do so if he kinits to admin. So I'm assuming the CLI bit, might be an ACL issue? Unfortunately, my user still cannot search for hosts, hostgroups, or DNS entries within the UI. ipa user-find - returns a list of 100 users ipa user-find $username - returns the details of that user ipa host-find returns a list of 100 hosts ipa host-find $hostname - returns the details of the host ipa host-find $partial-hostname - returns a list of hosts which have the search string inside their hostname ipa hostgroup-find - returns a list of hostgroups ipa hostgroup-find $hostgroupname - returns details of the hostgroup Regards Alex If I understand correctly, you as admin group user, can search in CLI and cannot search in webUI? That is weird. For CLI part, IIRC this bug has been fixed in IPA 4.2, ACI in DS disallow some queries from user that are not in admin group. Martin Hi Martin, yes, that's exactly right, we seem to be able to search in the CLI, provided we're in the admin group, or kinit to the admin user. For some reason though, searching in the UI brings back nothing at all. It works ok for users, but not for hosts, hostgroups, or DNS entries. All of the entries are there, they are listed in full when you visit the respective page, but even searching for a full hostname doesn't work, let alone part of it. CLI is always an option obviously, but we don't really want everyone who uses this to have to use the CLI, just to search for a hostname or DNS entry. Please login in webUI as admin and try search, in this case search should work, if not, there is something broken. I found related tickets: https://fedorahosted.org/freeipa/ticket/5055 https://fedorahosted.org/freeipa/ticket/5130 But I found nothing about hosts and hostsgroup, I will prepare test environment and try. Nevermind, here is hosts/hostgroup/service/netgroup ticket https://fedorahosted.org/freeipa/ticket/5167 I've also verified that replication of things like hosts and DNS entries is working perfectly well between the IPA4 and IPA3 servers. If I add a new DNS entry in IPA3, it shows up immediately in IPA4 and I can then delete it in IPA4 and it's removed instantly from the IPA3 server. Cheers Alex Hi Martin, thanks for that, that does in fact seem to be the issue. As per your instructions, logging in as 'admin' to the UI, allows the search feature to work. That does beg the question as to how my user can use its kerberos ticket on the CLI, but not in the UI though? Either way, the fix for the issue looks to be trivial (Replacing a few python files by the looks of things), so I'll
Re: [Freeipa-users] Searching for things in the UI no longer seems to work, neither does ipa host-find or hostgroup-find after schema upgrade to dogtag 10
On 07/10/15 12:40, Martin Basti wrote: On 10/07/2015 01:26 PM, Alex Williams wrote: On 07/10/15 11:31, Martin Basti wrote: On 10/07/2015 12:28 PM, Martin Basti wrote: On 10/07/2015 12:10 PM, Alex Williams wrote: On 07/10/15 10:57, Martin Basti wrote: On 10/07/2015 11:23 AM, Alex Williams wrote: On 07/10/15 09:53, Martin Basti wrote: On 10/07/2015 09:49 AM, Alex Williams wrote: Hi guys, yesterday I finally managed to get our IPA3.0.0 servers in a state that I could upgrade the schema to dogtag 10, using the migration script and launched a new RHEL7.1 IPA4.1 server as a replica. Unfortunately, in both the new RHEL7.1 IPA4.1 server AND the old RHEL6.6 IPA3.0.0 server that I replicated from (Also happens to be our CRL master), I can no longer search for hosts or DNS entries, or host groups, either in the UI, or on the command line. They're there, they show up when you go to the hosts, dns or user page in a list, but you cannot then refine the search. This is also true of ipa host-find and ipa hostgroup-find on the command line. Is this a bug in IPA4.1? Is it a schema issue? Is it just because we still have an IPA3 server running the show and an IPA4 replica? I can't really justify dropping our production IPA3 servers, if searching for records doesn't work in IPA4.1. I still appear to be able to search in the UI of one of our other IPA3 servers, despite the fact it has had its schema updated and it has been connected to the new IPA4 server. Thanks in advance for any help anyone can offer. Cheers Alex Hello, can you provide more info please: * are you kinited as admin user? * does ipa dnszone-find returns all results? * does ipa dnszone-find return something? * does ipa dnszone-show return the zone? We had issue with access control, where non admin users cannot search for zones, I'm not sure about hosts, and host groups. I do not think that this is a schema upgrade issue nor related to Dogtag 10. Martin Hi Martin, thanks for the quick response. So, I have not kinited as the admin user, however as root and as my own username (A member of the admins group in IPA), all of the commands you requested that I test, work fine. As it turns out, I can run all of the following on the command line, as my user, or as root and it all works fine. My colleague who attempted to do so this morning under his username, can do so if he kinits to admin. So I'm assuming the CLI bit, might be an ACL issue? Unfortunately, my user still cannot search for hosts, hostgroups, or DNS entries within the UI. ipa user-find - returns a list of 100 users ipa user-find $username - returns the details of that user ipa host-find returns a list of 100 hosts ipa host-find $hostname - returns the details of the host ipa host-find $partial-hostname - returns a list of hosts which have the search string inside their hostname ipa hostgroup-find - returns a list of hostgroups ipa hostgroup-find $hostgroupname - returns details of the hostgroup Regards Alex If I understand correctly, you as admin group user, can search in CLI and cannot search in webUI? That is weird. For CLI part, IIRC this bug has been fixed in IPA 4.2, ACI in DS disallow some queries from user that are not in admin group. Martin Hi Martin, yes, that's exactly right, we seem to be able to search in the CLI, provided we're in the admin group, or kinit to the admin user. For some reason though, searching in the UI brings back nothing at all. It works ok for users, but not for hosts, hostgroups, or DNS entries. All of the entries are there, they are listed in full when you visit the respective page, but even searching for a full hostname doesn't work, let alone part of it. CLI is always an option obviously, but we don't really want everyone who uses this to have to use the CLI, just to search for a hostname or DNS entry. Please login in webUI as admin and try search, in this case search should work, if not, there is something broken. I found related tickets: https://fedorahosted.org/freeipa/ticket/5055 https://fedorahosted.org/freeipa/ticket/5130 But I found nothing about hosts and hostsgroup, I will prepare test environment and try. Nevermind, here is hosts/hostgroup/service/netgroup ticket https://fedorahosted.org/freeipa/ticket/5167 I've also verified that replication of things like hosts and DNS entries is working perfectly well between the IPA4 and IPA3 servers. If I add a new DNS entry in IPA3, it shows up immediately in IPA4 and I can then delete it in IPA4 and it's removed instantly from the IPA3 server. Cheers Alex Hi Martin, thanks for that, that does in fact seem to be the issue. As per your instructions, logging in as 'admin' to the UI, allows the search feature to work. That does beg the question as to how my user can use its kerberos ticket on the CLI, but not in the UI though? Either way, the fix for the issue looks to be trivial (Replacing a few python
Re: [Freeipa-users] Searching for things in the UI no longer seems to work, neither does ipa host-find or hostgroup-find after schema upgrade to dogtag 10
On 10/07/2015 11:23 AM, Alex Williams wrote: On 07/10/15 09:53, Martin Basti wrote: On 10/07/2015 09:49 AM, Alex Williams wrote: Hi guys, yesterday I finally managed to get our IPA3.0.0 servers in a state that I could upgrade the schema to dogtag 10, using the migration script and launched a new RHEL7.1 IPA4.1 server as a replica. Unfortunately, in both the new RHEL7.1 IPA4.1 server AND the old RHEL6.6 IPA3.0.0 server that I replicated from (Also happens to be our CRL master), I can no longer search for hosts or DNS entries, or host groups, either in the UI, or on the command line. They're there, they show up when you go to the hosts, dns or user page in a list, but you cannot then refine the search. This is also true of ipa host-find and ipa hostgroup-find on the command line. Is this a bug in IPA4.1? Is it a schema issue? Is it just because we still have an IPA3 server running the show and an IPA4 replica? I can't really justify dropping our production IPA3 servers, if searching for records doesn't work in IPA4.1. I still appear to be able to search in the UI of one of our other IPA3 servers, despite the fact it has had its schema updated and it has been connected to the new IPA4 server. Thanks in advance for any help anyone can offer. Cheers Alex Hello, can you provide more info please: * are you kinited as admin user? * does ipa dnszone-find returns all results? * does ipa dnszone-find return something? * does ipa dnszone-show return the zone? We had issue with access control, where non admin users cannot search for zones, I'm not sure about hosts, and host groups. I do not think that this is a schema upgrade issue nor related to Dogtag 10. Martin Hi Martin, thanks for the quick response. So, I have not kinited as the admin user, however as root and as my own username (A member of the admins group in IPA), all of the commands you requested that I test, work fine. As it turns out, I can run all of the following on the command line, as my user, or as root and it all works fine. My colleague who attempted to do so this morning under his username, can do so if he kinits to admin. So I'm assuming the CLI bit, might be an ACL issue? Unfortunately, my user still cannot search for hosts, hostgroups, or DNS entries within the UI. ipa user-find - returns a list of 100 users ipa user-find $username - returns the details of that user ipa host-find returns a list of 100 hosts ipa host-find $hostname - returns the details of the host ipa host-find $partial-hostname - returns a list of hosts which have the search string inside their hostname ipa hostgroup-find - returns a list of hostgroups ipa hostgroup-find $hostgroupname - returns details of the hostgroup Regards Alex If I understand correctly, you as admin group user, can search in CLI and cannot search in webUI? That is weird. For CLI part, IIRC this bug has been fixed in IPA 4.2, ACI in DS disallow some queries from user that are not in admin group. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Searching for things in the UI no longer seems to work, neither does ipa host-find or hostgroup-find after schema upgrade to dogtag 10
On 07/10/15 09:53, Martin Basti wrote: On 10/07/2015 09:49 AM, Alex Williams wrote: Hi guys, yesterday I finally managed to get our IPA3.0.0 servers in a state that I could upgrade the schema to dogtag 10, using the migration script and launched a new RHEL7.1 IPA4.1 server as a replica. Unfortunately, in both the new RHEL7.1 IPA4.1 server AND the old RHEL6.6 IPA3.0.0 server that I replicated from (Also happens to be our CRL master), I can no longer search for hosts or DNS entries, or host groups, either in the UI, or on the command line. They're there, they show up when you go to the hosts, dns or user page in a list, but you cannot then refine the search. This is also true of ipa host-find and ipa hostgroup-find on the command line. Is this a bug in IPA4.1? Is it a schema issue? Is it just because we still have an IPA3 server running the show and an IPA4 replica? I can't really justify dropping our production IPA3 servers, if searching for records doesn't work in IPA4.1. I still appear to be able to search in the UI of one of our other IPA3 servers, despite the fact it has had its schema updated and it has been connected to the new IPA4 server. Thanks in advance for any help anyone can offer. Cheers Alex Hello, can you provide more info please: * are you kinited as admin user? * does ipa dnszone-find returns all results? * does ipa dnszone-find return something? * does ipa dnszone-show return the zone? We had issue with access control, where non admin users cannot search for zones, I'm not sure about hosts, and host groups. I do not think that this is a schema upgrade issue nor related to Dogtag 10. Martin Hi Martin, thanks for the quick response. So, I have not kinited as the admin user, however as root and as my own username (A member of the admins group in IPA), all of the commands you requested that I test, work fine. As it turns out, I can run all of the following on the command line, as my user, or as root and it all works fine. My colleague who attempted to do so this morning under his username, can do so if he kinits to admin. So I'm assuming the CLI bit, might be an ACL issue? Unfortunately, my user still cannot search for hosts, hostgroups, or DNS entries within the UI. ipa user-find - returns a list of 100 users ipa user-find $username - returns the details of that user ipa host-find returns a list of 100 hosts ipa host-find $hostname - returns the details of the host ipa host-find $partial-hostname - returns a list of hosts which have the search string inside their hostname ipa hostgroup-find - returns a list of hostgroups ipa hostgroup-find $hostgroupname - returns details of the hostgroup Regards Alex -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Searching for things in the UI no longer seems to work, neither does ipa host-find or hostgroup-find after schema upgrade to dogtag 10
On 10/07/2015 12:10 PM, Alex Williams wrote: On 07/10/15 10:57, Martin Basti wrote: On 10/07/2015 11:23 AM, Alex Williams wrote: On 07/10/15 09:53, Martin Basti wrote: On 10/07/2015 09:49 AM, Alex Williams wrote: Hi guys, yesterday I finally managed to get our IPA3.0.0 servers in a state that I could upgrade the schema to dogtag 10, using the migration script and launched a new RHEL7.1 IPA4.1 server as a replica. Unfortunately, in both the new RHEL7.1 IPA4.1 server AND the old RHEL6.6 IPA3.0.0 server that I replicated from (Also happens to be our CRL master), I can no longer search for hosts or DNS entries, or host groups, either in the UI, or on the command line. They're there, they show up when you go to the hosts, dns or user page in a list, but you cannot then refine the search. This is also true of ipa host-find and ipa hostgroup-find on the command line. Is this a bug in IPA4.1? Is it a schema issue? Is it just because we still have an IPA3 server running the show and an IPA4 replica? I can't really justify dropping our production IPA3 servers, if searching for records doesn't work in IPA4.1. I still appear to be able to search in the UI of one of our other IPA3 servers, despite the fact it has had its schema updated and it has been connected to the new IPA4 server. Thanks in advance for any help anyone can offer. Cheers Alex Hello, can you provide more info please: * are you kinited as admin user? * does ipa dnszone-find returns all results? * does ipa dnszone-find return something? * does ipa dnszone-show return the zone? We had issue with access control, where non admin users cannot search for zones, I'm not sure about hosts, and host groups. I do not think that this is a schema upgrade issue nor related to Dogtag 10. Martin Hi Martin, thanks for the quick response. So, I have not kinited as the admin user, however as root and as my own username (A member of the admins group in IPA), all of the commands you requested that I test, work fine. As it turns out, I can run all of the following on the command line, as my user, or as root and it all works fine. My colleague who attempted to do so this morning under his username, can do so if he kinits to admin. So I'm assuming the CLI bit, might be an ACL issue? Unfortunately, my user still cannot search for hosts, hostgroups, or DNS entries within the UI. ipa user-find - returns a list of 100 users ipa user-find $username - returns the details of that user ipa host-find returns a list of 100 hosts ipa host-find $hostname - returns the details of the host ipa host-find $partial-hostname - returns a list of hosts which have the search string inside their hostname ipa hostgroup-find - returns a list of hostgroups ipa hostgroup-find $hostgroupname - returns details of the hostgroup Regards Alex If I understand correctly, you as admin group user, can search in CLI and cannot search in webUI? That is weird. For CLI part, IIRC this bug has been fixed in IPA 4.2, ACI in DS disallow some queries from user that are not in admin group. Martin Hi Martin, yes, that's exactly right, we seem to be able to search in the CLI, provided we're in the admin group, or kinit to the admin user. For some reason though, searching in the UI brings back nothing at all. It works ok for users, but not for hosts, hostgroups, or DNS entries. All of the entries are there, they are listed in full when you visit the respective page, but even searching for a full hostname doesn't work, let alone part of it. CLI is always an option obviously, but we don't really want everyone who uses this to have to use the CLI, just to search for a hostname or DNS entry. Please login in webUI as admin and try search, in this case search should work, if not, there is something broken. I found related tickets: https://fedorahosted.org/freeipa/ticket/5055 https://fedorahosted.org/freeipa/ticket/5130 But I found nothing about hosts and hostsgroup, I will prepare test environment and try. I've also verified that replication of things like hosts and DNS entries is working perfectly well between the IPA4 and IPA3 servers. If I add a new DNS entry in IPA3, it shows up immediately in IPA4 and I can then delete it in IPA4 and it's removed instantly from the IPA3 server. Cheers Alex -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Searching for things in the UI no longer seems to work, neither does ipa host-find or hostgroup-find after schema upgrade to dogtag 10
On 07/10/15 11:31, Martin Basti wrote: On 10/07/2015 12:28 PM, Martin Basti wrote: On 10/07/2015 12:10 PM, Alex Williams wrote: On 07/10/15 10:57, Martin Basti wrote: On 10/07/2015 11:23 AM, Alex Williams wrote: On 07/10/15 09:53, Martin Basti wrote: On 10/07/2015 09:49 AM, Alex Williams wrote: Hi guys, yesterday I finally managed to get our IPA3.0.0 servers in a state that I could upgrade the schema to dogtag 10, using the migration script and launched a new RHEL7.1 IPA4.1 server as a replica. Unfortunately, in both the new RHEL7.1 IPA4.1 server AND the old RHEL6.6 IPA3.0.0 server that I replicated from (Also happens to be our CRL master), I can no longer search for hosts or DNS entries, or host groups, either in the UI, or on the command line. They're there, they show up when you go to the hosts, dns or user page in a list, but you cannot then refine the search. This is also true of ipa host-find and ipa hostgroup-find on the command line. Is this a bug in IPA4.1? Is it a schema issue? Is it just because we still have an IPA3 server running the show and an IPA4 replica? I can't really justify dropping our production IPA3 servers, if searching for records doesn't work in IPA4.1. I still appear to be able to search in the UI of one of our other IPA3 servers, despite the fact it has had its schema updated and it has been connected to the new IPA4 server. Thanks in advance for any help anyone can offer. Cheers Alex Hello, can you provide more info please: * are you kinited as admin user? * does ipa dnszone-find returns all results? * does ipa dnszone-find return something? * does ipa dnszone-show return the zone? We had issue with access control, where non admin users cannot search for zones, I'm not sure about hosts, and host groups. I do not think that this is a schema upgrade issue nor related to Dogtag 10. Martin Hi Martin, thanks for the quick response. So, I have not kinited as the admin user, however as root and as my own username (A member of the admins group in IPA), all of the commands you requested that I test, work fine. As it turns out, I can run all of the following on the command line, as my user, or as root and it all works fine. My colleague who attempted to do so this morning under his username, can do so if he kinits to admin. So I'm assuming the CLI bit, might be an ACL issue? Unfortunately, my user still cannot search for hosts, hostgroups, or DNS entries within the UI. ipa user-find - returns a list of 100 users ipa user-find $username - returns the details of that user ipa host-find returns a list of 100 hosts ipa host-find $hostname - returns the details of the host ipa host-find $partial-hostname - returns a list of hosts which have the search string inside their hostname ipa hostgroup-find - returns a list of hostgroups ipa hostgroup-find $hostgroupname - returns details of the hostgroup Regards Alex If I understand correctly, you as admin group user, can search in CLI and cannot search in webUI? That is weird. For CLI part, IIRC this bug has been fixed in IPA 4.2, ACI in DS disallow some queries from user that are not in admin group. Martin Hi Martin, yes, that's exactly right, we seem to be able to search in the CLI, provided we're in the admin group, or kinit to the admin user. For some reason though, searching in the UI brings back nothing at all. It works ok for users, but not for hosts, hostgroups, or DNS entries. All of the entries are there, they are listed in full when you visit the respective page, but even searching for a full hostname doesn't work, let alone part of it. CLI is always an option obviously, but we don't really want everyone who uses this to have to use the CLI, just to search for a hostname or DNS entry. Please login in webUI as admin and try search, in this case search should work, if not, there is something broken. I found related tickets: https://fedorahosted.org/freeipa/ticket/5055 https://fedorahosted.org/freeipa/ticket/5130 But I found nothing about hosts and hostsgroup, I will prepare test environment and try. Nevermind, here is hosts/hostgroup/service/netgroup ticket https://fedorahosted.org/freeipa/ticket/5167 I've also verified that replication of things like hosts and DNS entries is working perfectly well between the IPA4 and IPA3 servers. If I add a new DNS entry in IPA3, it shows up immediately in IPA4 and I can then delete it in IPA4 and it's removed instantly from the IPA3 server. Cheers Alex Hi Martin, thanks for that, that does in fact seem to be the issue. As per your instructions, logging in as 'admin' to the UI, allows the search feature to work. That does beg the question as to how my user can use its kerberos ticket on the CLI, but not in the UI though? Either way, the fix for the issue looks to be trivial (Replacing a few python files by the looks of things), so I'll give that a go and at worst, I guess we may have to
