Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons
- Original Message - Hi Rob and Dimitri Migrating via Replica is the obvious way that I would have gone, had the FreeIPA /RedHat documentation not suggested the replicas must have the same version. I think the link that put me off from replicating was: http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication-Creating_the_Replica_Information_File.html Looking at the link more closely I now see this applies to version 1.2 ., but from the page itself that was not obvious. it would be great if the version to which the IPA documentation applies was more obvious I am sure I am not the only user who enters the documentation via a search engine. We really need to remove this version 1.x documentation, it is giving too much confusion. Use documentation at the Red Hat Customer Portal: - versions 3.3 and onwards: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/index.html - version 3.0: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html We have all proper links gathered at http://www.freeipa.org/page/Documentation, it has these links and even more, including HOWTOs for integration with other software. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons
Hi Rob and Dimitri Migrating via Replica is the obvious way that I would have gone, had the FreeIPA /RedHat documentation not suggested the replicas must have the same version. I think the link that put me off from replicating was: http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication-Creating_the_Replica_Information_File.html Looking at the link more closely I now see this applies to version 1.2 ., but from the page itself that was not obvious. it would be great if the version to which the IPA documentation applies was more obvious I am sure I am not the only user who enters the documentation via a search engine. The missing buttons turns out to be down to the fact that the admin group was not migrated, as it is present on both old and new, so while the old admin users were migrated (together with membership of all other groups), they were not added to the admin group on the new instance. I should have realised this sooner! # ipa user-show User login: . Member of groups: smb-delivery, smb-fssadmin, ipausers, smb-development, smb-software, smb-all, smb-implementation, dba, users # ipa user-show admin . Member of groups: ipausers, trust admins, adminonly, admins Adding old admin user via cli: # ipa group-add-member admins --users= # ipa user-show Member of groups: smb-delivery, smb-fssadmin, ipausers, smb-development, smb-software, admins, smb-all, smb-implementation, dba, users I guess that when the Web UI decides to cooperate, and let me in without your session has expired error (see other ticket), I will have the missing buttons Thanks for the help Chris From: Rob Crittenden rcrit...@redhat.com To: d...@redhat.com, freeipa-users@redhat.com Date: 25.04.2015 07:05 Subject:Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons Sent by:freeipa-users-boun...@redhat.com Dmitri Pal wrote: On 04/24/2015 12:58 PM, Christopher Lamb wrote: Hi I am in the process of setting up and configuring a FreeIPA Server 4.1.0. I have successfully migrated all the users from an existing FreeIPA Server 3.0.0 with the following command: ipa migrate-ds --group-overwrite-gid --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts' ldap://ldap url of new server:389 When I log into the 4.1.0 Web UI, with the default admin user, on the Identity/Users overview page, I have buttons for Delete, Add, Enable, Disable etc. If I log in with an imported admin user, these buttons are missing. If I log into the old 3.0.0 Web UI, these buttons are available with both users. This is most likely because the permissions changed in 4.0 and old admin does not have the privileges that are now default in 4.1. He migrated rather than upgrading so this doesn't apply. So the question is: why did you migrate and not create a replica with 4.x and migrate that way? One needs to be a member of the admins group to be an admin, I'd start there. p.s. it would be great if the syntax for an IPA old to IPA new migration using ipa migrate-ds was included in the IPA documentation. I had to dig deep in the migration.py script to find the accepted format . There is a ticket for this but the expected upgrade path is to install a replica on the new version and once things are confirmed to be working, decommission the older ones. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons
On 04/25/2015 03:12 AM, Christopher Lamb wrote: Hi Rob and Dimitri Migrating via Replica is the obvious way that I would have gone, had the FreeIPA /RedHat documentation not suggested the replicas must have the same version. I think the link that put me off from replicating was: http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication-Creating_the_Replica_Information_File.html Looking at the link more closely I now see this applies to version 1.2 ., but from the page itself that was not obvious. it would be great if the version to which the IPA documentation applies was more obvious I am sure I am not the only user who enters the documentation via a search engine. The missing buttons turns out to be down to the fact that the admin group was not migrated, as it is present on both old and new, so while the old admin users were migrated (together with membership of all other groups), they were not added to the admin group on the new instance. I should have realised this sooner! # ipa user-show User login: . Member of groups: smb-delivery, smb-fssadmin, ipausers, smb-development, smb-software, smb-all, smb-implementation, dba, users # ipa user-show admin . Member of groups: ipausers, trust admins, adminonly, admins Adding old admin user via cli: # ipa group-add-member admins --users= # ipa user-show Member of groups: smb-delivery, smb-fssadmin, ipausers, smb-development, smb-software, admins, smb-all, smb-implementation, dba, users I guess that when the Web UI decides to cooperate, and let me in without your session has expired error (see other ticket), I will have the missing buttons Thanks for the help Chris From: Rob Crittenden rcrit...@redhat.com To: d...@redhat.com, freeipa-users@redhat.com Date: 25.04.2015 07:05 Subject:Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons Sent by:freeipa-users-boun...@redhat.com Dmitri Pal wrote: On 04/24/2015 12:58 PM, Christopher Lamb wrote: Hi I am in the process of setting up and configuring a FreeIPA Server 4.1.0. I have successfully migrated all the users from an existing FreeIPA Server 3.0.0 with the following command: ipa migrate-ds --group-overwrite-gid --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts' ldap://ldap url of new server:389 When I log into the 4.1.0 Web UI, with the default admin user, on the Identity/Users overview page, I have buttons for Delete, Add, Enable, Disable etc. If I log in with an imported admin user, these buttons are missing. If I log into the old 3.0.0 Web UI, these buttons are available with both users. This is most likely because the permissions changed in 4.0 and old admin does not have the privileges that are now default in 4.1. He migrated rather than upgrading so this doesn't apply. So the question is: why did you migrate and not create a replica with 4.x and migrate that way? One needs to be a member of the admins group to be an admin, I'd start there. p.s. it would be great if the syntax for an IPA old to IPA new migration using ipa migrate-ds was included in the IPA documentation. I had to dig deep in the migration.py script to find the accepted format . There is a ticket for this but the expected upgrade path is to install a replica on the new version and once things are confirmed to be working, decommission the older ones. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project I do not know what we can do about the old documentation. It is there but we can't prevent users from finding it. We communicated several times on the list and wiki that the most up to date documentation to use in the on the Red Hat documentation portal [1] as we do no have resources to maintain upstream and downstream versions of the documentation at the same time. It is better to have one up to date set of documentation than to have two incomplete ones. [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/ (see bottom of the page) -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons
Hi Dmitri I understand, maintaining documentation over multiple versions is hard work. You certainly don't want to prevent users from finding old documentation - as it is important for those of us still running old versions in production, but it would be great if it was immediately clear which version it applies to. Had that been the case, I might have clicked earlier, and sought out the equivalent pages in the current docus. Ideally each page would be clearly marked with the version(s) it applies to. As a side note, I tend to search via google (e.g. FreeIPA replicate), and have been using a mixture of Red-hat, Fedora and FreeIPA branded documentation. thanks for your help Chris From: Dmitri Pal d...@redhat.com To: Christopher Lamb/Switzerland/IBM@IBMCH, Rob Crittenden rcrit...@redhat.com Cc: freeipa-users@redhat.com Date: 25.04.2015 15:08 Subject:Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons On 04/25/2015 03:12 AM, Christopher Lamb wrote: Hi Rob and Dimitri Migrating via Replica is the obvious way that I would have gone, had the FreeIPA /RedHat documentation not suggested the replicas must have the same version. I think the link that put me off from replicating was: http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication-Creating_the_Replica_Information_File.html Looking at the link more closely I now see this applies to version 1.2 ., but from the page itself that was not obvious. it would be great if the version to which the IPA documentation applies was more obvious I am sure I am not the only user who enters the documentation via a search engine. The missing buttons turns out to be down to the fact that the admin group was not migrated, as it is present on both old and new, so while the old admin users were migrated (together with membership of all other groups), they were not added to the admin group on the new instance. I should have realised this sooner! # ipa user-show User login: . Member of groups: smb-delivery, smb-fssadmin, ipausers, smb-development, smb-software, smb-all, smb-implementation, dba, users # ipa user-show admin . Member of groups: ipausers, trust admins, adminonly, admins Adding old admin user via cli: # ipa group-add-member admins --users= # ipa user-show Member of groups: smb-delivery, smb-fssadmin, ipausers, smb-development, smb-software, admins, smb-all, smb-implementation, dba, users I guess that when the Web UI decides to cooperate, and let me in without your session has expired error (see other ticket), I will have the missing buttons Thanks for the help Chris From: Rob Crittenden rcrit...@redhat.com To:d...@redhat.com, freeipa-users@redhat.com Date: 25.04.2015 07:05 Subject: Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons Sent by: freeipa-users-boun...@redhat.com Dmitri Pal wrote: On 04/24/2015 12:58 PM, Christopher Lamb wrote: Hi I am in the process of setting up and configuring a FreeIPA Server 4.1.0. I have successfully migrated all the users from an existing FreeIPA Server 3.0.0 with the following command: ipa migrate-ds --group-overwrite-gid --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts' ldap://ldap url of new server:389 When I log into the 4.1.0 Web UI, with the default admin user, on the Identity/Users overview page, I have buttons for Delete, Add, Enable, Disable etc. If I log in with an imported admin user, these buttons are missing. If I log into the old 3.0.0 Web UI, these buttons are available with both users. This is most likely because the permissions changed in 4.0 and old admin does not have the privileges that are now default in 4.1. He migrated rather than upgrading so this doesn't apply. So the question is: why did you migrate and not create a replica with 4.x and migrate that way? One needs to be a member of the admins group to be an admin, I'd start there. p.s. it would be great if the syntax for an IPA old to IPA new migration using ipa migrate-ds was included in the IPA documentation. I had to dig deep in the migration.py script to find the accepted format . There is a ticket for this but the expected upgrade path is to install a replica on the new version and once things are confirmed to be working, decommission the older ones. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project I do not know what we can do about the old documentation. It is there but we can't prevent users from finding it. We communicated several times on the list and wiki
Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons
On 04/24/2015 12:58 PM, Christopher Lamb wrote: Hi I am in the process of setting up and configuring a FreeIPA Server 4.1.0. I have successfully migrated all the users from an existing FreeIPA Server 3.0.0 with the following command: ipa migrate-ds --group-overwrite-gid --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts' ldap://ldap url of new server:389 When I log into the 4.1.0 Web UI, with the default admin user, on the Identity/Users overview page, I have buttons for Delete, Add, Enable, Disable etc. If I log in with an imported admin user, these buttons are missing. If I log into the old 3.0.0 Web UI, these buttons are available with both users. This is most likely because the permissions changed in 4.0 and old admin does not have the privileges that are now default in 4.1. thanks Chris Lamb p.s. it would be great if the syntax for an IPA old to IPA new migration using ipa migrate-ds was included in the IPA documentation. I had to dig deep in the migration.py script to find the accepted format . -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons
Dmitri Pal wrote: On 04/24/2015 12:58 PM, Christopher Lamb wrote: Hi I am in the process of setting up and configuring a FreeIPA Server 4.1.0. I have successfully migrated all the users from an existing FreeIPA Server 3.0.0 with the following command: ipa migrate-ds --group-overwrite-gid --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts' ldap://ldap url of new server:389 When I log into the 4.1.0 Web UI, with the default admin user, on the Identity/Users overview page, I have buttons for Delete, Add, Enable, Disable etc. If I log in with an imported admin user, these buttons are missing. If I log into the old 3.0.0 Web UI, these buttons are available with both users. This is most likely because the permissions changed in 4.0 and old admin does not have the privileges that are now default in 4.1. He migrated rather than upgrading so this doesn't apply. So the question is: why did you migrate and not create a replica with 4.x and migrate that way? One needs to be a member of the admins group to be an admin, I'd start there. p.s. it would be great if the syntax for an IPA old to IPA new migration using ipa migrate-ds was included in the IPA documentation. I had to dig deep in the migration.py script to find the accepted format . There is a ticket for this but the expected upgrade path is to install a replica on the new version and once things are confirmed to be working, decommission the older ones. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project