Hi Scott, we had a similar issue one year ago. When IPA was deployed in CA-less mode, only parts of the "user" web page were properly filled: *#8203 <https://pagure.io/freeipa/issue/8203>* User page on WebUi only has half the information in CA-less install *Bug 1835853* <https://bugzilla.redhat.com/show_bug.cgi?id=1835853> - No user authentication type in web ui *Bug 1884819* <https://bugzilla.redhat.com/show_bug.cgi?id=1884819> - IdM Web UI shows users as disabled
The above issues were fixed (don't try to call PKI api if PKI is not installed) but we are probably not handling properly the case where calls to PKI throw exceptions. Thanks for your description of the issue and resolution as it will help us improve the robustness. The issue has been reported at #9090 <https://pagure.io/freeipa/issue/9090> WebUI does not display all the user's attributes when it fails to communicate with PKI server. flo On Thu, Jan 20, 2022 at 8:52 PM Scott Serr via FreeIPA-users < [email protected]> wrote: > > On 1/17/22 10:59 AM, Rob Crittenden wrote: > > Scott Serr via FreeIPA-users wrote: > >> On 1/12/22 11:43 AM, Rob Crittenden wrote: > >> > >>> Scott Serr via FreeIPA-users wrote: > >>>> Attributes in the Employee Information section of the user web page > >>>> are blank following a series of OS/IPA updates. > >>>> The "ipa user-find --all" cli command shows these attributes fine. > >>>> > >>>> Specifically (in my case): > >>>> Department Number > >>>> Employee Number > >>>> Employee Type > >>>> > >>>> I'm wondering if anyone else has seen this. Trying to find a small > >>>> test case, I've found 1 of my development VMs that has some > >>>> snapshots. It's Rocky 8. It has seen OS/IPA updates frequently in > >>>> the last month. This VM also has a snapshot on December 8th. > >>>> > >>>> Now I have 3 clones of this VM (at different snapshot times): > >>>> dev-current -- fails to show these attributes on user web page > >>>> dev-dec8 -- shows these attributes > >>>> dev-dec8-updated-to-current -- shows these attributes > >>>> > >>>> The system is mainly used to test updates, data remains the same. > >>>> The only difference I can think of is "dev-current" has had > >>>> *incremental* OS/IPA updates between Dec 8th and now. > >>>> > >>>> I'm combing through a filesystem diff, trying to figure out why they > >>>> behave differently, /usr/share/ipa appears to be the same. Something > >>>> else odd: "dev-current" has a new section "User attributes for SMB > >>>> services" on the user web page. The dev-dec8 and > >>>> dev-dec8-updated-to-current states/VMs don't have this section on the > >>>> user web page. > >>>> > >>>> Interested in any troubleshooting ideas, or ideas of why this is > >>>> happening. > >>>> > >>>> Thank you, > >>>> Scott > >>>> > >>>> dnf.log shows dev-current had an update to 4.9.6-6 that the other > clone > >>>> (dev-dec8-updated) did not. > >>>> It looks like 4.9.6-6, although replaced has created this lingering > problem. > >>>> > >>>> dev-dec8-updated > >>>> 2021-11-04T12:48:27-0600 DEBUG Upgraded: > >>>> ipa-server-4.9.2-4.module+el8.4.0+664+1636a961.x86_64 > >>>> 2022-01-11T12:07:55-0700 DEBUG Upgraded: > >>>> ipa-server-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64 > >>>> > >>>> dev-current > >>>> 2021-11-04T12:48:27-0600 DEBUG Upgraded: > >>>> ipa-server-4.9.2-4.module+el8.4.0+664+1636a961.x86_64 > >>>> 2021-12-08T11:34:23-0700 DEBUG Upgraded: > >>>> ipa-server-4.9.6-6.module+el8.5.0+675+61f67439.x86_64 > >>>> 2021-12-21T09:55:41-0700 DEBUG Upgraded: > >>>> ipa-server-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64 > >>>> > >>> I don't quite follow what you're trying to ask. Are these two separate > >>> systems? Do both show the same behavior? > >>> > >>> Does the information show in the cli? ipa user-show --all someuser > >>> > >>> Do/did you have any custom plugins? > >>> > >>> What exact attributes are not displaying? > >>> > >>> rob > >>> > >> I'm sorry Rob, yesterday my web email client didn't do well with > >> threading, I've tried to fix the thread. > >> > >> These are clones of the same system, early on Dec 8th they were the same > >> and since then took 2 different upgrade paths. (I only power up 1 at a > >> time because of IPs and hostnames) > >> > >> dev-dec8-updated > >> 2021-11-04T12:48:27-0600 DEBUG Upgraded: ipa-server-4.9.2-4 > >> 2022-01-11T12:07:55-0700 DEBUG Upgraded: ipa-server-4.9.6-10 > >> > >> dev-current > >> 2021-11-04T12:48:27-0600 DEBUG Upgraded: ipa-server-4.9.2-4 > >> 2021-12-08T11:34:23-0700 DEBUG Upgraded: ipa-server-4.9.6-6 > >> 2021-12-21T09:55:41-0700 DEBUG Upgraded: ipa-server-4.9.6-10 > >> > >> The "dev-current" has gone down a different upgrade path from > "dev-dec8-updated" but they arrive at the same place (4.9.6-10). It > appears that 4.9.6-6 has caused the issue. The issue being those > attributes in Employee Information section of the web page. > >> > >> These clone VMs did have a simple custom plugin. It was > /usr/share/ipa/ui/js/plugins/myplugin/myplugin.js. I removing the custom > plugin (from dev-current), but that didn't fix the missing attributes on > the web page. Maybe there is some caching that I need to clear. Very well > could be something from our custom plugin, is there anything tricky to back > it out? > >> > >> "ipa user-show --all me" shows Employee Type, Employee Number, and > Department Number properly. > > I'm at a loss. The best I can suggest is to try the browser debugger to > > see if you can tell what is happening. The data should be available > > based on the cli (the ui uses the same interfaces). > > > > As for removing it I think that removing the javascript, restarting > > Apache and doing a force reload in the browser should do it. > > > > rob > > Rob, this may surprise you, it did me. > > I set out to create a brand new replica on our production cluster. My > intent was to disconnect it from the cluster and do tests. I was not > able to do make the replica, I kept getting errors running > ipa-replica-install. I saw: > > ipa: ERROR: Certificate operation cannot be completed: Request failed with > status 403: Non-2xx response from CA REST API: 403. (403) > > I had to fix this before I could continue. You are well aware of the > recent issue: > > Bug 2006070 - Upgrades incorrectly add secret attribute to connectors > https://bugzilla.redhat.com/show_bug.cgi?id=2006070 > (First, I found at least 4 threads on this mailing list directly > connected to this issue. I'm thankful!) > > I saw that my VM clone (discussed above in the thread) that skipped over > ipa-server-4.9.6-6 update, only had secret= and did not have > requiredSecret=. I removed requiredSecret from a member of the > production cluster. PKI/certs worked! And low and behold, my web > interface now shows attribute values for Employee Type, Employee Number, > and Department Number. It also no longer shows the SMB section, like we > are used to. > > (In our environment we don't make use of PKI functionality on our > clients yet, otherwise I'd probably notice this breakage much earlier.) > > I'm hopeful this clears up all my issues. I wanted the list to know the > fix. > > Thanks for you help! > Scott > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
