| Summary: | ipa user-find --manager does not find matches | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Scott Poore <spoore> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.2 | CC: | jgalipea, mkosek |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-3.0.0-1.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 09:09:04 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Scott Poore
2012-01-12 23:46:40 UTC
Hey Scott: The default user search attributes do not include manager. # ipa config-show Max. username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain for new users: testrelm Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title <=============== Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=TESTRELM Password Expiration Notification (days): 4 You could modify this and check that the user is found if the search attributes include manager. # ipa config-mod --usersearch="uid,givenname,sn,telephonenumber,ou,title,manager" Max. username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain for new users: testrelm Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title,manager Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=TESTRELM Password Expiration Notification (days): 4 No, the problem is that the data is stored as a DN and we are not converting the manager value into a DN before creating the filter. In this case we do a query like this: (&(objectClass=posixaccount)(manager=testmanager)) We need to convert the incoming manager value into a DN before creating the search filter. As a demonstration, this will work (but is unwieldy): ipa user-find testuser --manager="uid=testmanager,cn=users,cn=accounts,dc=testrelm" When no options are provided to a find then the default search fields are used. When some criteria is provided we use only that. Got it ... bug :-) Upstream ticket: https://fedorahosted.org/freeipa/ticket/2264 Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/557b2605503738f25d9c89e8b51d1832b24d5636 ipa-3-0: https://fedorahosted.org/freeipa/changeset/cbfe062a5cbe44d346754c5cb2643bbb23b375d7 Verified. Version :: [root@vm1 quickinstall]# rpm -q ipa-server ipa-server-3.0.0-2.el6.x86_64 Manual Test Results :: [root@vm1 quickinstall]# ipa user-add --first=first --last=last testmanager ------------------------ Added user "testmanager" ------------------------ User login: testmanager First name: first Last name: last Full name: first last Display name: first last Initials: fl Home directory: /home/testmanager GECOS field: first last Login shell: /bin/sh Kerberos principal: testmanager Email address: testmanager UID: 378000001 GID: 378000001 Password: False Kerberos keys available: False [root@vm1 quickinstall]# ipa user-add --first=first --last=last testuser --------------------- Added user "testuser" --------------------- User login: testuser First name: first Last name: last Full name: first last Display name: first last Initials: fl Home directory: /home/testuser GECOS field: first last Login shell: /bin/sh Kerberos principal: testuser Email address: testuser UID: 378000003 GID: 378000003 Password: False Kerberos keys available: False [root@vm1 quickinstall]# ipa user-mod testuser --manager=testmanager ------------------------ Modified user "testuser" ------------------------ User login: testuser First name: first Last name: last Home directory: /home/testuser Login shell: /bin/sh Email address: testuser UID: 378000003 GID: 378000003 Manager: testmanager Account disabled: False Password: False Member of groups: ipausers Kerberos keys available: False [root@vm1 quickinstall]# ipa user-find testuser --manager=testmanager -------------- 1 user matched -------------- User login: testuser First name: first Last name: last Home directory: /home/testuser Login shell: /bin/sh Email address: testuser UID: 378000003 GID: 378000003 Manager: testmanager Account disabled: False Password: False Kerberos keys available: False ---------------------------- Number of entries returned 1 ---------------------------- Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html |