Goal

• As a user, I want to be able to search users, groups and hosts using simple requests with wildcards. In big IPA deployments, host and user counts easily add up to 100'000, and with adoption of containers this is likely to increase. If customers use naming rules, they need to filter out specific pattern, and it's best done with request like 

ipa host-find client*

• Possible limitations:
  • We don't need to introduce full regex, only * wildcard as it's supported by ldapv3;
  • We can't allow requests like these for strings with less than 3 characters, as such searches will not be filtered;
  • We don't need to introduce manual ldap filters to the commands, as it can degrade DS performance if used 'greedy'.
• Background:
  • Currently, all the searches that include '*' escape this char to '\2A'
  • all the requests like

ipa host-find ipa

generate a LDAP filter like

filter="(&(|(fqdn=*ipa*)(description=*ipa*)(l=*ipa*)(nsHostLocation=*ipa*)(krbCanonicalName=*ipa*)(krbPrincipalName=*ipa*)(nsHardwarePlatform=*ipa*)(nsOsVersion=*ipa*)(managedBy=*ipa*))(&(objectClass=ipaobject)(objectClass=nshost)(objectClass=ipahost)(objectClass=pkiuser)(objectClass=ipaservice)))"

The idea is that if our request length is > 3, and it contains '*', e.g.

ipa host-find ipa*

it would result into a request filter like

filter="(&(|(fqdn=ipa*)(description=ipa*)(l=*ipa*)(nsHostLocation=ipa*)(krbCanonicalName=ipa*)(krbPrincipalName=ipa*)(nsHardwarePlatform=ipa*)(nsOsVersion=ipa*)(managedBy=ipa*))(&(objectClass=ipaobject)(objectClass=nshost)(objectClass=ipahost)(objectClass=pkiuser)(objectClass=ipaservice)))"

that will search with wildcard as user intended.

Acceptance Criteria

This feature should be possible via

• API
• CLI
• WebUI

for commands like 

• host_find
• user_find
• group_find

should be able to:

• search request with wildcard as provided if str.len()>3
• show a warning for request if it contains '*' and str.len()<=3 and not search