FreeIPA version: freeipa-server-4.4.3-1.fc25.x86_64
When manipulating membership of external groups group-add command seems to skip --external option when deciding whether to prompt for users/groups to add to the group. This causes a minor UX inconvenience as you have to go through interactive prompt even if you do not want to add any other members.
group-add
--external
Steps to reproduce:
1.) install IPA server and establish trust with AD forest
2.) create a group allowing external users as members
# ipa group-add --external trust_users
3.) add an AD user to the group
# ipa group-add-member trust_users --external ADREALM\\testuser
Expected outcome:
Command completes successfully without prompting for members
Actual outcome:
The command keeps asking for members/groups but otherwise completes successfully:
# ipa group-add-member trust_users --external ADREALM\\testuser [member user]: [member group]: Group name: trust_users External member: S-1-5-21-3607537816-595259299-2709812834-1125 ------------------------- Number of members added 1 -------------------------
This is not a bug as the group can have both external and normal members. Use 'ipa -n' to get rid of the prompts if they aren't needed:
# ipa -n group-add-member my-external-users --external domain\ users@ad2016.test Group name: my-external-users External member: S-1-5-21-920843393-3978028112-2766342605-500, S-1-5-21-920843393-3978028112-2766342605-513 Member of HBAC rule: access-for-webfarm ------------------------- Number of members added 1 -------------------------
Metadata Update from @mbabinsk: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Hi,
Someone has put me onto this issue as it's causing them some confusion.
I think this should be reopened as it is a UX issue.
Adding -n isn't really an option. Because you have satisfied that you are adding a member (regardless of internal or external location of the member), then no prompt is required.
The UX should be:
These little details may not seem important, but they improve the experience of admins, they make us look professional, and it eases confusion to our consumers,
Thanks!
Login to comment on this ticket.