1972553 – User searching using UID does not work in idm Web UI

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1972553 - User searching using UID does not work in idm Web UI

Summary: User searching using UID does not work in idm Web UI

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Florence Blanc-Renaud
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-06-16 07:41 UTC by xifan
Modified:	2023-05-22 08:58 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-05-22 08:58:28 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7321	0	None	None	None	2021-11-10 14:40:15 UTC

Description xifan 2021-06-16 07:41:14 UTC

Description of problem:
  We could not search user using UID in IDM Web UI.

Version-Release number of selected component (if applicable):
  Red Hat Enterprise Linux 8

How reproducible:
  IDM Web UI -> Identiy -> Users -> Search user using UID

Actual results:
  The result is 'No entries.'

Expected results:
  The user owned the searching UID should be output.

Comment 1 Sunny Wu 2021-06-16 07:57:35 UTC

Equivalent command of the WebUI action is:
ipa user-find --uid=<uid>

Comment 2 Sunny Wu 2021-06-16 07:59:41 UTC

# rpm -qa | grep ipa | sort
ipa-client-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64
ipa-client-common-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch
ipa-common-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch
ipa-healthcheck-0.7-3.module+el8.4.0+9007+5084bdd8.noarch
ipa-healthcheck-core-0.7-3.module+el8.4.0+9007+5084bdd8.noarch
ipa-selinux-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch
ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64
ipa-server-common-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch
ipa-server-dns-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch
ipa-server-trust-ad-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64
libipa_hbac-2.4.0-9.el8.x86_64
python3-iniparse-0.4-31.el8.noarch
python3-ipaclient-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch
python3-ipalib-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch
python3-ipaserver-4.9.2-3.module+el8.4.0+10412+5ecb5b37.noarch
python3-libipa_hbac-2.4.0-9.el8.x86_64
redhat-logos-ipa-84.4-1.el8.noarch
sssd-ipa-2.4.0-9.el8.x86_64

Comment 3 Rob Crittenden 2021-06-16 14:50:54 UTC

This is easily reproducible.

The UI only searches using the attributes defined in user search fields found under IPA Server -> Configuration. uidnumber is not included by default.

The search field in general represents a difference between the capabilities of the UI and CLI. The CLI provides a couple of dozen attributes to search against as options. The UI only does the equivalent of ipa user-find <term>.

Not all data types will work with the user search fields, notably numeric ones, because of the way the LDAP filter is generated. This means that adding uidnumber to the search fields will not fix this. The generated filter contains (uidnumber="*<integer value>*") which isn't meaningful in an LDAP query of an integer.

The full query that was generated when I added uidnumber to the user search fields is:

[16/Jun/2021:08:47:04.249281910 -0400] conn=129 op=2 SRCH base="cn=users,cn=accounts,dc=example,dc=test" scope=1 filter="(&(|(uid=*1743600001*)(givenName=*1743600001*)(sn=*1743600001*)(telephoneNumber=*1743600001*)(ou=*1743600001*)(title=*1743600001*)(uidNumber=*1743600001*))(objectClass=posixaccount))" attrs="ipaSshPubKey uid

One possible solution would be in the filter generator to check the syntax of the attribute and don't add wildcards if it is INTEGER (1.3.6.1.4.1.1466.115.121.1.27).

A more complex solution would be to create an Advanced Search in the UI to use the extended capabilities of the *-find commands.

Comment 4 Sunny Wu 2021-06-17 01:27:57 UTC

Thanks @rcritten 

Another related issue is the inconsistency of the term "uid". UID can represent username or uidnumber interchangeably. 

WebUI:
"User Login" = uid
"UID" = uidNumber

Command line:
ipa user-find --uid=<uid>   ====>>>> This search uidNumber

This is causing unnecessary confusion.

Comment 5 Rob Crittenden 2021-06-17 13:06:58 UTC

I'm not sure what the question is here but the LDAP schema for organizing users is something we don't have control over because we need to interoperate with other systems.

IPA uses a mapping to try to present a more modern view of the information but there are places, such as the search fields, where the actual names bleed through.

The show-mappings CLI command can be used to translate between naming (IPA name on the left, LDAP attribute on the right):

$ ipa show-mappings user-find |grep uid
login                : uid?
uid                  : uidnumber?

The question mark means this attribute is optional with the user-find command.

Comment 10 Carla Martinez 2023-05-22 08:58:28 UTC

This enhancement will be considered in the new WebUI only and the new ticket issue will be tracked here: https://github.com/freeipa/freeipa-webui/issues/106

Note You need to log in before you can comment on or make changes to this bug.