Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1972553

Summary: User searching using UID does not work in idm Web UI
Product: Red Hat Enterprise Linux 9 Reporter: xifan
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED WONTFIX QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: carlmart, rcritten, suwu, tscherf
Target Milestone: rcKeywords: Desktop, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-22 08:58:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description xifan 2021-06-16 07:41:14 UTC 
Description of problem:
  We could not search user using UID in IDM Web UI.

Version-Release number of selected component (if applicable):
  Red Hat Enterprise Linux 8

How reproducible:
  IDM Web UI -> Identiy -> Users -> Search user using UID

Actual results:
  The result is 'No entries.'

Expected results:
  The user owned the searching UID should be output.
Comment 1 Sunny Wu 2021-06-16 07:57:35 UTC 
Equivalent command of the WebUI action is:
ipa user-find --uid=<uid>
Comment 2 Sunny Wu 2021-06-16 07:59:41 UTC 
# rpm -qa | grep ipa | sort
ipa-client-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64
ipa-client-common-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch
ipa-common-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch
ipa-healthcheck-0.7-3.module+el8.4.0+9007+5084bdd8.noarch
ipa-healthcheck-core-0.7-3.module+el8.4.0+9007+5084bdd8.noarch
ipa-selinux-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch
ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64
ipa-server-common-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch
ipa-server-dns-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch
ipa-server-trust-ad-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64
libipa_hbac-2.4.0-9.el8.x86_64
python3-iniparse-0.4-31.el8.noarch
python3-ipaclient-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch
python3-ipalib-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch
python3-ipaserver-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch
python3-libipa_hbac-2.4.0-9.el8.x86_64
redhat-logos-ipa-84.4-1.el8.noarch
sssd-ipa-2.4.0-9.el8.x86_64
Comment 3 Rob Crittenden 2021-06-16 14:50:54 UTC 
This is easily reproducible.

The UI only searches using the attributes defined in user search fields found under IPA Server -> Configuration. uidnumber is not included by default.

The search field in general represents a difference between the capabilities of the UI and CLI. The CLI provides a couple of dozen attributes to search against as options. The UI only does the equivalent of ipa user-find <term>.

Not all data types will work with the user search fields, notably numeric ones, because of the way the LDAP filter is generated. This means that adding uidnumber to the search fields will not fix this. The generated filter contains (uidnumber="*<integer value>*") which isn't meaningful in an LDAP query of an integer.

The full query that was generated when I added uidnumber to the user search fields is:

[16/Jun/2021:08:47:04.249281910 -0400] conn=129 op=2 SRCH base="cn=users,cn=accounts,dc=example,dc=test" scope=1 filter="(&(|(uid=*1743600001*)(givenName=*1743600001*)(sn=*1743600001*)(telephoneNumber=*1743600001*)(ou=*1743600001*)(title=*1743600001*)(uidNumber=*1743600001*))(objectClass=posixaccount))" attrs="ipaSshPubKey uid

One possible solution would be in the filter generator to check the syntax of the attribute and don't add wildcards if it is INTEGER (1.3.6.1.4.1.1466.115.121.1.27).

A more complex solution would be to create an Advanced Search in the UI to use the extended capabilities of the *-find commands.
Comment 4 Sunny Wu 2021-06-17 01:27:57 UTC 
Thanks @rcritten 

Another related issue is the inconsistency of the term "uid". UID can represent username or uidnumber interchangeably. 

WebUI:
"User Login" = uid
"UID" = uidNumber

Command line:
ipa user-find --uid=<uid>   ====>>>> This search uidNumber

This is causing unnecessary confusion.
Comment 5 Rob Crittenden 2021-06-17 13:06:58 UTC 
I'm not sure what the question is here but the LDAP schema for organizing users is something we don't have control over because we need to interoperate with other systems.

IPA uses a mapping to try to present a more modern view of the information but there are places, such as the search fields, where the actual names bleed through.

The show-mappings CLI command can be used to translate between naming (IPA name on the left, LDAP attribute on the right):

$ ipa show-mappings user-find |grep uid
login                : uid?
uid                  : uidnumber?

The question mark means this attribute is optional with the user-find command.
Comment 10 Carla Martinez 2023-05-22 08:58:28 UTC 
This enhancement will be considered in the new WebUI only and the new ticket issue will be tracked here: https://github.com/freeipa/freeipa-webui/issues/106