On 03/18/2016 09:21 PM, Randy Morgan wrote:
> We have a FreeIPA Version 4.2 production installation that seems to have a
> limitation we cannot figure out how to overcome. Users cannot search, from
> the
> gui, for a specific user. The only users who can perform a search for a
> specific user are full-admins, everyone else the search option does not
> respond, meaning that if you click on the magnifying glass, nothing happens.
> We have a large number of groups, and they are managed by the group owner, who
> needs to be able to do a user search. This appears to be a permissions issue,
> but we are not sure what we need to change to make it so that we can assign
> search capability to specific user groups. Any help would be greatly
> appreciated.
Hello Randy,
What permissions have you defined to allow your group admins to administer the
groups?
On my RHEL-7.2 machine, I tried setting up delegation like that:
# kinit admin
Password for admin@RHEL72:
# ipa group-add lab
# ipa permission-add --type group --right write --filter "(cn=lab)" --attrs
member can_manage_lab
# ipa user-add --first Lab --last Admin labadmin
# ipa passwd labadmin
# ipa role-add labadmin
# ipa privilege-add labadmin
# ipa role-add-member labadmin --users labadmin
# ipa role-add-privilege labadmin --privilege labadmin
# ipa privilege-add-permission labadmin --permissions labadmin
# ipa privilege-add-permission labadmin --permissions can_manage_lab
# ipa user-show labadmin
...
Roles: labadmin
# ipa user-add --first Lab --last User labuser1
# ipa user-add --first Lab --last User labuser2
# kinit labadmin
Password for labadmin@RHEL72:
Password expired. You must change it now.
Enter new password:
Enter it again:
# ipa group-add-member lab --users labuser1
Group name: lab
GID: 63241
Member users: labuser1
-
Number of members added 1
-
When I tried to achieve similar with labadmin on
https://ipa.rhel72/ipa/ui/#/e/group/member_user/lab
it worked for me as well and I was able to manage lab group members in the UI.
HTH,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project