On 03/18/2016 09:21 PM, Randy Morgan wrote: > We have a FreeIPA Version 4.2 production installation that seems to have a > limitation we cannot figure out how to overcome. Users cannot search, from > the > gui, for a specific user. The only users who can perform a search for a > specific user are full-admins, everyone else the search option does not > respond, meaning that if you click on the magnifying glass, nothing happens. > We have a large number of groups, and they are managed by the group owner, who > needs to be able to do a user search. This appears to be a permissions issue, > but we are not sure what we need to change to make it so that we can assign > search capability to specific user groups. Any help would be greatly > appreciated.
Hello Randy, What permissions have you defined to allow your group admins to administer the groups? On my RHEL-7.2 machine, I tried setting up delegation like that: # kinit admin Password for admin@RHEL72: # ipa group-add lab # ipa permission-add --type group --right write --filter "(cn=lab)" --attrs member can_manage_lab # ipa user-add --first Lab --last Admin labadmin # ipa passwd labadmin # ipa role-add labadmin # ipa privilege-add labadmin # ipa role-add-member labadmin --users labadmin # ipa role-add-privilege labadmin --privilege labadmin # ipa privilege-add-permission labadmin --permissions labadmin # ipa privilege-add-permission labadmin --permissions can_manage_lab # ipa user-show labadmin ... Roles: labadmin # ipa user-add --first Lab --last User labuser1 # ipa user-add --first Lab --last User labuser2 # kinit labadmin Password for labadmin@RHEL72: Password expired. You must change it now. Enter new password: Enter it again: # ipa group-add-member lab --users labuser1 Group name: lab GID: 632400001 Member users: labuser1 ------------------------- Number of members added 1 ------------------------- When I tried to achieve similar with labadmin on https://ipa.rhel72/ipa/ui/#/e/group/member_user/lab it worked for me as well and I was able to manage lab group members in the UI. HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
