Re: [Freeipa-users] Directory Search Question

[Martin Kosek]

On 03/18/2016 09:21 PM, Randy Morgan wrote:
> We have a FreeIPA Version 4.2 production installation that seems to have a
> limitation we cannot figure out how to overcome.  Users cannot search, from 
> the
> gui, for a specific user.  The only users who can perform a search for a
> specific user are full-admins, everyone else the search option does not
> respond, meaning that if you click on the magnifying glass, nothing happens. 
> We have a large number of groups, and they are managed by the group owner, who
> needs to be able to do a user search.  This appears to be a permissions issue,
> but we are not sure what we need to change to make it so that we can assign
> search capability to specific user groups.  Any help would be greatly 
> appreciated.

Hello Randy,

What permissions have you defined to allow your group admins to administer the
groups?

On my RHEL-7.2 machine, I tried setting up delegation like that:

# kinit admin
Password for admin@RHEL72:
# ipa group-add lab
# ipa permission-add --type group --right write --filter "(cn=lab)" --attrs
member can_manage_lab

# ipa user-add --first Lab --last Admin labadmin
# ipa passwd labadmin
# ipa role-add labadmin
# ipa privilege-add labadmin
# ipa role-add-member labadmin --users labadmin
# ipa role-add-privilege labadmin --privilege labadmin
# ipa privilege-add-permission labadmin --permissions labadmin
# ipa privilege-add-permission labadmin --permissions can_manage_lab
# ipa user-show labadmin
...
  Roles: labadmin
# ipa user-add --first Lab --last User labuser1
# ipa user-add --first Lab --last User labuser2

# kinit labadmin
Password for labadmin@RHEL72:
Password expired.  You must change it now.
Enter new password:
Enter it again:
# ipa group-add-member lab --users labuser1
  Group name: lab
  GID: 63241
  Member users: labuser1
-
Number of members added 1
-

When I tried to achieve similar with labadmin on
https://ipa.rhel72/ipa/ui/#/e/group/member_user/lab
it worked for me as well and I was able to manage lab group members in the UI.

HTH,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Directory Search Question

[Randy Morgan]

We have a FreeIPA Version 4.2 production installation that seems to have 
a limitation we cannot figure out how to overcome.  Users cannot search, 
from the gui, for a specific user.  The only users who can perform a 
search for a specific user are full-admins, everyone else the search 
option does not respond, meaning that if you click on the magnifying 
glass, nothing happens.  We have a large number of groups, and they are 
managed by the group owner, who needs to be able to do a user search.  
This appears to be a permissions issue, but we are not sure what we need 
to change to make it so that we can assign search capability to specific 
user groups.  Any help would be greatly appreciated.


Randy

--
Randy Morgan
CSR
Department of Chemistry and Biochemistry
Brigham Young University
801-422-4100

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project