Description of problem: I have created an user in a testinstance: [root@ipa01 ~]# id falko uid=1612200003(falko) gid=1612200003(falko) groups=1612200003(falko),1612200001(ipausers),1612200004(ttt.admin),1612200000(admins) The user is in the group 'admin', because the group 'ttt.admin' is listed in the member groups of 'admin'. While this works fine with ldap/sssd, the WebUI seems to not check the nested groups. If I directly add my testuser to the group 'admin' the WebUI correctly displays the Admin options. Version-Release number of selected component (if applicable): [root@ipa01 ~]# id falko uid=1612200003(falko) gid=1612200003(falko) groups=1612200003(falko),1612200001(ipausers),1612200004(p4t.admin),1612200000(admins) How reproducible: Always. Steps to Reproduce: * Install freeipa-server * Create a group 'xxx' * Add 'xxx' group to 'admin' group * Create user 'asdf' * Add 'asdf' user to the 'xxx' group * id 'asdf' will show both groups * WebUI will only display the user webinterface Actual results: * WebUI seems not to check the nested groups. Expected results: * WebUI should also check the nested groups. Additional info: This is not a fatal problem, since there aren't so many IPA admins - of course; And we can add those users directly to the 'admin' group. However, it would be convenient.
Update: Version-Release number of selected component (if applicable): [root@ipa01 ~]# rpm -q freeipa-server freeipa-server-2.0.1-2.fc15.i686 (Used the wrong buffer)
Question ... there are radio buttons for direct and indirect members now ... are you selecting indirect members to see user asdf as an indirect member of admin group? This is working for me.
Created attachment 511940 [details] indirect member of a group
Your different looks different to mine... 8-/ However, the user is - of course - an indirect member, since it is direct member in the group 'xxx', and 'xxx' group is member in the 'admin' group. As already said. Again, it's not a problem that the user doesn't belong to the group when it comes to ldap queries or if you check the user using the WebUI. But if you log in with the user, you only see the user UI and not the admin UI...
Created attachment 512200 [details] screenshot of admin user logged in I see what you mean now ....
Fixed upstream in http://git.fedorahosted.org/git/?p=freeipa.git;a=commit;h=04753403445dd5b73baa1422206b5ca352281e4a
I cannot apply this patch with my current version (freeipa-server-2.0.1-2.fc15).