Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

[Steve Huston]

Awesome!  Thank you.

On Wed, Feb 1, 2017 at 12:05 PM, Florence Blanc-Renaud  wrote:
> On 02/01/2017 05:47 PM, Steve Huston wrote:
>>
>> Would it be better to file this as a new bug, or reopen 4291?
>>
> Hi,
>
> we are already aware of the problem and working on a fix (please see
> https://bugzilla.redhat.com/show_bug.cgi?id=1398600 and
> https://fedorahosted.org/freeipa/ticket/6575).
>
> HTH,
> Flo.
>
>
>> On Tue, Jan 31, 2017 at 5:00 PM, Steve Huston
>>  wrote:
>>>
>>> Seems like this is to blame:
>>> https://fedorahosted.org/freeipa/ticket/4291
>>>
>>> The checkin says, "Installation in pure IPv6 environment failed
>>> because pki-tomcat tried to use
>>> IPv4 loopback. Configuring tomcat to use IPv6 loopback instead of IPv4
>>> fixes this issue."  However it would seem that in a pure IPv4
>>> environment, this is causing tomcat to fail to load.
>>>
>>> On Tue, Jan 31, 2017 at 4:36 PM, Steve Huston
>>>  wrote:

 What defines the contents of /var/lib/pki/pki-tomcat/conf/server.xml?

 

 >>> address="::1" />

 Doesn't work so well on a host without IPv6 turned on...

 Jan 31 14:26:59 ipa server: PKIListener:
 org.apache.catalina.core.StandardServer[before_init]
 Jan 31 14:27:00 ipa server: SEVERE: Failed to initialize end point
 associated with ProtocolHandler ["ajp-bio-0:0:0:0:0:0:0:1-8009"]
 Jan 31 14:27:00 ipa server: java.net.SocketException: Protocol family
 unavailable

 On Fri, Jan 27, 2017 at 4:23 PM, Steve Huston
  wrote:
>
> Stranger, I did an install on a different VM with the CentOS 7 minimal
> ISO, then installed ipa-server and enough things to get X11 and
> Firefox, ran ipa-server-install and it worked fine.  I tested with
> Firefox (and Safari) against my failing installation and it still
> fails.  So there's something else different that's causing it to
> break.  Will continue investigating, but if someone knows why the UI
> would break this way it would be helpful to know where to look!
>
> On Thu, Jan 26, 2017 at 11:53 AM, Steve Huston
>  wrote:
>>
>> Just did it again with the same result.  Reinstalled the machine, then
>> did a 'yum install ipa-server python2-ipaserver httpd' which pulled in
>> version 4.4.0-14.el7_3.4 and a bunch of other packages.  Next was the
>> ipa-server-install as I used before, only without --mkhomedir this
>> time.  After entering the passwords for directory administrator and
>> the admin user, I then logged in to the web interface, immediately
>> clicked "add" and added a user 'foobar'.  When I clicked "add and
>> edit" and was brought to the user information page, it looks like this
>> at the bottom:
>>
>>
>> https://www.dropbox.com/s/e67j8rdaq9wvkni/Screenshot%202017-01-26%2011.33.03.png?dl=0
>>
>> I then entered an employee number of '0001' just to give something to
>> save, and clicked save.  The screen now shows this (I've clicked the
>> drop-down on the manager field so the choices are visible):
>>
>>
>> https://www.dropbox.com/s/oxmqwf2rsz15grd/Screenshot%202017-01-26%2011.33.58.png?dl=0
>>
>> Holding shift and clicking reload, the page now looks like this (the
>> employee number field is also blank again):
>>
>>
>> https://www.dropbox.com/s/f8ptycnetvsxjnb/Screenshot%202017-01-26%2011.35.03.png?dl=0
>>
>> Since we do run a repackaged distribution here (Springdale Linux), I
>> just unpacked ipa-server-common from our repository with the above
>> version, and
>> http://mirror.centos.org/centos/7/updates/x86_64/Packages/ipa-server-common-4.4.0-14.el7.centos.4.noarch.rpm,
>> and 'diff' found zero differences between them.  Unlikely, but I
>> wanted to rule out a packaging error causing the problem.
>>
>> On Wed, Jan 25, 2017 at 4:12 PM, Steve Huston
>>  wrote:
>>>
>>> No, that should be all of the major changes; the puppet module that
>>> installs things only puts the two plugin files in their respective
>>> places.  The client part of the IPA module makes changes to have the
>>> machine join the domain and whatnot, but those shouldn't affect the
>>> webui.
>>>
>>> I do modify the schema by adding some attribute types for Puppet,
>>> namely puppetClass, parentNode, environment, puppetVar, and the
>>> object
>>> class puppetClient.  That's basically right from one of the Puppet
>>> webpages and also worked in the past - and is one of the things the
>>> python plugin does, add the appropriate objectclass to host entries
>>> if
>>> puppetVar is added to a host entry.
>>>
>>> My steps to install:
>>> * ipa-server-install --realm= --domain= --mkhomedir
>>> --hostname= 

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

[Florence Blanc-Renaud]

On 02/01/2017 05:47 PM, Steve Huston wrote:

Would it be better to file this as a new bug, or reopen 4291?


Hi,

we are already aware of the problem and working on a fix (please see 
https://bugzilla.redhat.com/show_bug.cgi?id=1398600 and 
https://fedorahosted.org/freeipa/ticket/6575).


HTH,
Flo.


On Tue, Jan 31, 2017 at 5:00 PM, Steve Huston
 wrote:

Seems like this is to blame:  https://fedorahosted.org/freeipa/ticket/4291

The checkin says, "Installation in pure IPv6 environment failed
because pki-tomcat tried to use
IPv4 loopback. Configuring tomcat to use IPv6 loopback instead of IPv4
fixes this issue."  However it would seem that in a pure IPv4
environment, this is causing tomcat to fail to load.

On Tue, Jan 31, 2017 at 4:36 PM, Steve Huston
 wrote:

What defines the contents of /var/lib/pki/pki-tomcat/conf/server.xml?





Doesn't work so well on a host without IPv6 turned on...

Jan 31 14:26:59 ipa server: PKIListener:
org.apache.catalina.core.StandardServer[before_init]
Jan 31 14:27:00 ipa server: SEVERE: Failed to initialize end point
associated with ProtocolHandler ["ajp-bio-0:0:0:0:0:0:0:1-8009"]
Jan 31 14:27:00 ipa server: java.net.SocketException: Protocol family
unavailable

On Fri, Jan 27, 2017 at 4:23 PM, Steve Huston
 wrote:

Stranger, I did an install on a different VM with the CentOS 7 minimal
ISO, then installed ipa-server and enough things to get X11 and
Firefox, ran ipa-server-install and it worked fine.  I tested with
Firefox (and Safari) against my failing installation and it still
fails.  So there's something else different that's causing it to
break.  Will continue investigating, but if someone knows why the UI
would break this way it would be helpful to know where to look!

On Thu, Jan 26, 2017 at 11:53 AM, Steve Huston
 wrote:

Just did it again with the same result.  Reinstalled the machine, then
did a 'yum install ipa-server python2-ipaserver httpd' which pulled in
version 4.4.0-14.el7_3.4 and a bunch of other packages.  Next was the
ipa-server-install as I used before, only without --mkhomedir this
time.  After entering the passwords for directory administrator and
the admin user, I then logged in to the web interface, immediately
clicked "add" and added a user 'foobar'.  When I clicked "add and
edit" and was brought to the user information page, it looks like this
at the bottom:

https://www.dropbox.com/s/e67j8rdaq9wvkni/Screenshot%202017-01-26%2011.33.03.png?dl=0

I then entered an employee number of '0001' just to give something to
save, and clicked save.  The screen now shows this (I've clicked the
drop-down on the manager field so the choices are visible):

https://www.dropbox.com/s/oxmqwf2rsz15grd/Screenshot%202017-01-26%2011.33.58.png?dl=0

Holding shift and clicking reload, the page now looks like this (the
employee number field is also blank again):

https://www.dropbox.com/s/f8ptycnetvsxjnb/Screenshot%202017-01-26%2011.35.03.png?dl=0

Since we do run a repackaged distribution here (Springdale Linux), I
just unpacked ipa-server-common from our repository with the above
version, and 
http://mirror.centos.org/centos/7/updates/x86_64/Packages/ipa-server-common-4.4.0-14.el7.centos.4.noarch.rpm,
and 'diff' found zero differences between them.  Unlikely, but I
wanted to rule out a packaging error causing the problem.

On Wed, Jan 25, 2017 at 4:12 PM, Steve Huston
 wrote:

No, that should be all of the major changes; the puppet module that
installs things only puts the two plugin files in their respective
places.  The client part of the IPA module makes changes to have the
machine join the domain and whatnot, but those shouldn't affect the
webui.

I do modify the schema by adding some attribute types for Puppet,
namely puppetClass, parentNode, environment, puppetVar, and the object
class puppetClient.  That's basically right from one of the Puppet
webpages and also worked in the past - and is one of the things the
python plugin does, add the appropriate objectclass to host entries if
puppetVar is added to a host entry.

My steps to install:
* ipa-server-install --realm= --domain= --mkhomedir
--hostname= --no-host-dns
* ldapmodify -ZZ -h localhost -x -D 'cn=Directory Manager' -W
  < paste puppet schema changes>
  < paste DN entry for uid=hostadder,cn=sysaccounts,cn=etc... - a
service account used by puppet for adding hosts to IPA >
* login to web UI
* * Change home directory base, default shell, default SELinux user
* * Add SELinux user map for staff/sysadmin users
* * Add "user adder" permission/privilege/role for users who will be
able to create stageusers

That's about as far as I got before I realized some of the plugin
pieces weren't working, and then fixed the python plugin followed by
working on the UI plugin and finding this problem.  I'll go wipe and
reinstall the system again and walk through the steps, but test 

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

[Steve Huston]

Would it be better to file this as a new bug, or reopen 4291?

On Tue, Jan 31, 2017 at 5:00 PM, Steve Huston
 wrote:
> Seems like this is to blame:  https://fedorahosted.org/freeipa/ticket/4291
>
> The checkin says, "Installation in pure IPv6 environment failed
> because pki-tomcat tried to use
> IPv4 loopback. Configuring tomcat to use IPv6 loopback instead of IPv4
> fixes this issue."  However it would seem that in a pure IPv4
> environment, this is causing tomcat to fail to load.
>
> On Tue, Jan 31, 2017 at 4:36 PM, Steve Huston
>  wrote:
>> What defines the contents of /var/lib/pki/pki-tomcat/conf/server.xml?
>>
>> 
>>
>> > address="::1" />
>>
>> Doesn't work so well on a host without IPv6 turned on...
>>
>> Jan 31 14:26:59 ipa server: PKIListener:
>> org.apache.catalina.core.StandardServer[before_init]
>> Jan 31 14:27:00 ipa server: SEVERE: Failed to initialize end point
>> associated with ProtocolHandler ["ajp-bio-0:0:0:0:0:0:0:1-8009"]
>> Jan 31 14:27:00 ipa server: java.net.SocketException: Protocol family
>> unavailable
>>
>> On Fri, Jan 27, 2017 at 4:23 PM, Steve Huston
>>  wrote:
>>> Stranger, I did an install on a different VM with the CentOS 7 minimal
>>> ISO, then installed ipa-server and enough things to get X11 and
>>> Firefox, ran ipa-server-install and it worked fine.  I tested with
>>> Firefox (and Safari) against my failing installation and it still
>>> fails.  So there's something else different that's causing it to
>>> break.  Will continue investigating, but if someone knows why the UI
>>> would break this way it would be helpful to know where to look!
>>>
>>> On Thu, Jan 26, 2017 at 11:53 AM, Steve Huston
>>>  wrote:
 Just did it again with the same result.  Reinstalled the machine, then
 did a 'yum install ipa-server python2-ipaserver httpd' which pulled in
 version 4.4.0-14.el7_3.4 and a bunch of other packages.  Next was the
 ipa-server-install as I used before, only without --mkhomedir this
 time.  After entering the passwords for directory administrator and
 the admin user, I then logged in to the web interface, immediately
 clicked "add" and added a user 'foobar'.  When I clicked "add and
 edit" and was brought to the user information page, it looks like this
 at the bottom:

 https://www.dropbox.com/s/e67j8rdaq9wvkni/Screenshot%202017-01-26%2011.33.03.png?dl=0

 I then entered an employee number of '0001' just to give something to
 save, and clicked save.  The screen now shows this (I've clicked the
 drop-down on the manager field so the choices are visible):

 https://www.dropbox.com/s/oxmqwf2rsz15grd/Screenshot%202017-01-26%2011.33.58.png?dl=0

 Holding shift and clicking reload, the page now looks like this (the
 employee number field is also blank again):

 https://www.dropbox.com/s/f8ptycnetvsxjnb/Screenshot%202017-01-26%2011.35.03.png?dl=0

 Since we do run a repackaged distribution here (Springdale Linux), I
 just unpacked ipa-server-common from our repository with the above
 version, and 
 http://mirror.centos.org/centos/7/updates/x86_64/Packages/ipa-server-common-4.4.0-14.el7.centos.4.noarch.rpm,
 and 'diff' found zero differences between them.  Unlikely, but I
 wanted to rule out a packaging error causing the problem.

 On Wed, Jan 25, 2017 at 4:12 PM, Steve Huston
  wrote:
> No, that should be all of the major changes; the puppet module that
> installs things only puts the two plugin files in their respective
> places.  The client part of the IPA module makes changes to have the
> machine join the domain and whatnot, but those shouldn't affect the
> webui.
>
> I do modify the schema by adding some attribute types for Puppet,
> namely puppetClass, parentNode, environment, puppetVar, and the object
> class puppetClient.  That's basically right from one of the Puppet
> webpages and also worked in the past - and is one of the things the
> python plugin does, add the appropriate objectclass to host entries if
> puppetVar is added to a host entry.
>
> My steps to install:
> * ipa-server-install --realm= --domain= --mkhomedir
> --hostname= --no-host-dns
> * ldapmodify -ZZ -h localhost -x -D 'cn=Directory Manager' -W
>   < paste puppet schema changes>
>   < paste DN entry for uid=hostadder,cn=sysaccounts,cn=etc... - a
> service account used by puppet for adding hosts to IPA >
> * login to web UI
> * * Change home directory base, default shell, default SELinux user
> * * Add SELinux user map for staff/sysadmin users
> * * Add "user adder" permission/privilege/role for users who will be
> able to create stageusers
>
> That's about as far as I got before I realized some of the plugin
> pieces 

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

[Steve Huston]

Seems like this is to blame:  https://fedorahosted.org/freeipa/ticket/4291

The checkin says, "Installation in pure IPv6 environment failed
because pki-tomcat tried to use
IPv4 loopback. Configuring tomcat to use IPv6 loopback instead of IPv4
fixes this issue."  However it would seem that in a pure IPv4
environment, this is causing tomcat to fail to load.

On Tue, Jan 31, 2017 at 4:36 PM, Steve Huston
 wrote:
> What defines the contents of /var/lib/pki/pki-tomcat/conf/server.xml?
>
> 
>
>  address="::1" />
>
> Doesn't work so well on a host without IPv6 turned on...
>
> Jan 31 14:26:59 ipa server: PKIListener:
> org.apache.catalina.core.StandardServer[before_init]
> Jan 31 14:27:00 ipa server: SEVERE: Failed to initialize end point
> associated with ProtocolHandler ["ajp-bio-0:0:0:0:0:0:0:1-8009"]
> Jan 31 14:27:00 ipa server: java.net.SocketException: Protocol family
> unavailable
>
> On Fri, Jan 27, 2017 at 4:23 PM, Steve Huston
>  wrote:
>> Stranger, I did an install on a different VM with the CentOS 7 minimal
>> ISO, then installed ipa-server and enough things to get X11 and
>> Firefox, ran ipa-server-install and it worked fine.  I tested with
>> Firefox (and Safari) against my failing installation and it still
>> fails.  So there's something else different that's causing it to
>> break.  Will continue investigating, but if someone knows why the UI
>> would break this way it would be helpful to know where to look!
>>
>> On Thu, Jan 26, 2017 at 11:53 AM, Steve Huston
>>  wrote:
>>> Just did it again with the same result.  Reinstalled the machine, then
>>> did a 'yum install ipa-server python2-ipaserver httpd' which pulled in
>>> version 4.4.0-14.el7_3.4 and a bunch of other packages.  Next was the
>>> ipa-server-install as I used before, only without --mkhomedir this
>>> time.  After entering the passwords for directory administrator and
>>> the admin user, I then logged in to the web interface, immediately
>>> clicked "add" and added a user 'foobar'.  When I clicked "add and
>>> edit" and was brought to the user information page, it looks like this
>>> at the bottom:
>>>
>>> https://www.dropbox.com/s/e67j8rdaq9wvkni/Screenshot%202017-01-26%2011.33.03.png?dl=0
>>>
>>> I then entered an employee number of '0001' just to give something to
>>> save, and clicked save.  The screen now shows this (I've clicked the
>>> drop-down on the manager field so the choices are visible):
>>>
>>> https://www.dropbox.com/s/oxmqwf2rsz15grd/Screenshot%202017-01-26%2011.33.58.png?dl=0
>>>
>>> Holding shift and clicking reload, the page now looks like this (the
>>> employee number field is also blank again):
>>>
>>> https://www.dropbox.com/s/f8ptycnetvsxjnb/Screenshot%202017-01-26%2011.35.03.png?dl=0
>>>
>>> Since we do run a repackaged distribution here (Springdale Linux), I
>>> just unpacked ipa-server-common from our repository with the above
>>> version, and 
>>> http://mirror.centos.org/centos/7/updates/x86_64/Packages/ipa-server-common-4.4.0-14.el7.centos.4.noarch.rpm,
>>> and 'diff' found zero differences between them.  Unlikely, but I
>>> wanted to rule out a packaging error causing the problem.
>>>
>>> On Wed, Jan 25, 2017 at 4:12 PM, Steve Huston
>>>  wrote:
 No, that should be all of the major changes; the puppet module that
 installs things only puts the two plugin files in their respective
 places.  The client part of the IPA module makes changes to have the
 machine join the domain and whatnot, but those shouldn't affect the
 webui.

 I do modify the schema by adding some attribute types for Puppet,
 namely puppetClass, parentNode, environment, puppetVar, and the object
 class puppetClient.  That's basically right from one of the Puppet
 webpages and also worked in the past - and is one of the things the
 python plugin does, add the appropriate objectclass to host entries if
 puppetVar is added to a host entry.

 My steps to install:
 * ipa-server-install --realm= --domain= --mkhomedir
 --hostname= --no-host-dns
 * ldapmodify -ZZ -h localhost -x -D 'cn=Directory Manager' -W
   < paste puppet schema changes>
   < paste DN entry for uid=hostadder,cn=sysaccounts,cn=etc... - a
 service account used by puppet for adding hosts to IPA >
 * login to web UI
 * * Change home directory base, default shell, default SELinux user
 * * Add SELinux user map for staff/sysadmin users
 * * Add "user adder" permission/privilege/role for users who will be
 able to create stageusers

 That's about as far as I got before I realized some of the plugin
 pieces weren't working, and then fixed the python plugin followed by
 working on the UI plugin and finding this problem.  I'll go wipe and
 reinstall the system again and walk through the steps, but test the UI
 first and in between to see if I 

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

[Steve Huston]

What defines the contents of /var/lib/pki/pki-tomcat/conf/server.xml?





Doesn't work so well on a host without IPv6 turned on...

Jan 31 14:26:59 ipa server: PKIListener:
org.apache.catalina.core.StandardServer[before_init]
Jan 31 14:27:00 ipa server: SEVERE: Failed to initialize end point
associated with ProtocolHandler ["ajp-bio-0:0:0:0:0:0:0:1-8009"]
Jan 31 14:27:00 ipa server: java.net.SocketException: Protocol family
unavailable

On Fri, Jan 27, 2017 at 4:23 PM, Steve Huston
 wrote:
> Stranger, I did an install on a different VM with the CentOS 7 minimal
> ISO, then installed ipa-server and enough things to get X11 and
> Firefox, ran ipa-server-install and it worked fine.  I tested with
> Firefox (and Safari) against my failing installation and it still
> fails.  So there's something else different that's causing it to
> break.  Will continue investigating, but if someone knows why the UI
> would break this way it would be helpful to know where to look!
>
> On Thu, Jan 26, 2017 at 11:53 AM, Steve Huston
>  wrote:
>> Just did it again with the same result.  Reinstalled the machine, then
>> did a 'yum install ipa-server python2-ipaserver httpd' which pulled in
>> version 4.4.0-14.el7_3.4 and a bunch of other packages.  Next was the
>> ipa-server-install as I used before, only without --mkhomedir this
>> time.  After entering the passwords for directory administrator and
>> the admin user, I then logged in to the web interface, immediately
>> clicked "add" and added a user 'foobar'.  When I clicked "add and
>> edit" and was brought to the user information page, it looks like this
>> at the bottom:
>>
>> https://www.dropbox.com/s/e67j8rdaq9wvkni/Screenshot%202017-01-26%2011.33.03.png?dl=0
>>
>> I then entered an employee number of '0001' just to give something to
>> save, and clicked save.  The screen now shows this (I've clicked the
>> drop-down on the manager field so the choices are visible):
>>
>> https://www.dropbox.com/s/oxmqwf2rsz15grd/Screenshot%202017-01-26%2011.33.58.png?dl=0
>>
>> Holding shift and clicking reload, the page now looks like this (the
>> employee number field is also blank again):
>>
>> https://www.dropbox.com/s/f8ptycnetvsxjnb/Screenshot%202017-01-26%2011.35.03.png?dl=0
>>
>> Since we do run a repackaged distribution here (Springdale Linux), I
>> just unpacked ipa-server-common from our repository with the above
>> version, and 
>> http://mirror.centos.org/centos/7/updates/x86_64/Packages/ipa-server-common-4.4.0-14.el7.centos.4.noarch.rpm,
>> and 'diff' found zero differences between them.  Unlikely, but I
>> wanted to rule out a packaging error causing the problem.
>>
>> On Wed, Jan 25, 2017 at 4:12 PM, Steve Huston
>>  wrote:
>>> No, that should be all of the major changes; the puppet module that
>>> installs things only puts the two plugin files in their respective
>>> places.  The client part of the IPA module makes changes to have the
>>> machine join the domain and whatnot, but those shouldn't affect the
>>> webui.
>>>
>>> I do modify the schema by adding some attribute types for Puppet,
>>> namely puppetClass, parentNode, environment, puppetVar, and the object
>>> class puppetClient.  That's basically right from one of the Puppet
>>> webpages and also worked in the past - and is one of the things the
>>> python plugin does, add the appropriate objectclass to host entries if
>>> puppetVar is added to a host entry.
>>>
>>> My steps to install:
>>> * ipa-server-install --realm= --domain= --mkhomedir
>>> --hostname= --no-host-dns
>>> * ldapmodify -ZZ -h localhost -x -D 'cn=Directory Manager' -W
>>>   < paste puppet schema changes>
>>>   < paste DN entry for uid=hostadder,cn=sysaccounts,cn=etc... - a
>>> service account used by puppet for adding hosts to IPA >
>>> * login to web UI
>>> * * Change home directory base, default shell, default SELinux user
>>> * * Add SELinux user map for staff/sysadmin users
>>> * * Add "user adder" permission/privilege/role for users who will be
>>> able to create stageusers
>>>
>>> That's about as far as I got before I realized some of the plugin
>>> pieces weren't working, and then fixed the python plugin followed by
>>> working on the UI plugin and finding this problem.  I'll go wipe and
>>> reinstall the system again and walk through the steps, but test the UI
>>> first and in between to see if I can find which of the steps might be
>>> causing things to hiccup.
>>>
>>> On Wed, Jan 25, 2017 at 1:42 PM, Pavel Vomacka  wrote:
 Hello Steve,

 I tried to reproduce what you described on the very same version of
 ipa-server and I was not successful. Actually I was not used your back-end
 plugin. I tried it with no plugin and then with your UI plugin and both
 worked correctly. Did you do any other changes somewhere in your
 installation?

 I will try it again also with your Python plugin and we'll 

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

[Steve Huston]

Stranger, I did an install on a different VM with the CentOS 7 minimal
ISO, then installed ipa-server and enough things to get X11 and
Firefox, ran ipa-server-install and it worked fine.  I tested with
Firefox (and Safari) against my failing installation and it still
fails.  So there's something else different that's causing it to
break.  Will continue investigating, but if someone knows why the UI
would break this way it would be helpful to know where to look!

On Thu, Jan 26, 2017 at 11:53 AM, Steve Huston
 wrote:
> Just did it again with the same result.  Reinstalled the machine, then
> did a 'yum install ipa-server python2-ipaserver httpd' which pulled in
> version 4.4.0-14.el7_3.4 and a bunch of other packages.  Next was the
> ipa-server-install as I used before, only without --mkhomedir this
> time.  After entering the passwords for directory administrator and
> the admin user, I then logged in to the web interface, immediately
> clicked "add" and added a user 'foobar'.  When I clicked "add and
> edit" and was brought to the user information page, it looks like this
> at the bottom:
>
> https://www.dropbox.com/s/e67j8rdaq9wvkni/Screenshot%202017-01-26%2011.33.03.png?dl=0
>
> I then entered an employee number of '0001' just to give something to
> save, and clicked save.  The screen now shows this (I've clicked the
> drop-down on the manager field so the choices are visible):
>
> https://www.dropbox.com/s/oxmqwf2rsz15grd/Screenshot%202017-01-26%2011.33.58.png?dl=0
>
> Holding shift and clicking reload, the page now looks like this (the
> employee number field is also blank again):
>
> https://www.dropbox.com/s/f8ptycnetvsxjnb/Screenshot%202017-01-26%2011.35.03.png?dl=0
>
> Since we do run a repackaged distribution here (Springdale Linux), I
> just unpacked ipa-server-common from our repository with the above
> version, and 
> http://mirror.centos.org/centos/7/updates/x86_64/Packages/ipa-server-common-4.4.0-14.el7.centos.4.noarch.rpm,
> and 'diff' found zero differences between them.  Unlikely, but I
> wanted to rule out a packaging error causing the problem.
>
> On Wed, Jan 25, 2017 at 4:12 PM, Steve Huston
>  wrote:
>> No, that should be all of the major changes; the puppet module that
>> installs things only puts the two plugin files in their respective
>> places.  The client part of the IPA module makes changes to have the
>> machine join the domain and whatnot, but those shouldn't affect the
>> webui.
>>
>> I do modify the schema by adding some attribute types for Puppet,
>> namely puppetClass, parentNode, environment, puppetVar, and the object
>> class puppetClient.  That's basically right from one of the Puppet
>> webpages and also worked in the past - and is one of the things the
>> python plugin does, add the appropriate objectclass to host entries if
>> puppetVar is added to a host entry.
>>
>> My steps to install:
>> * ipa-server-install --realm= --domain= --mkhomedir
>> --hostname= --no-host-dns
>> * ldapmodify -ZZ -h localhost -x -D 'cn=Directory Manager' -W
>>   < paste puppet schema changes>
>>   < paste DN entry for uid=hostadder,cn=sysaccounts,cn=etc... - a
>> service account used by puppet for adding hosts to IPA >
>> * login to web UI
>> * * Change home directory base, default shell, default SELinux user
>> * * Add SELinux user map for staff/sysadmin users
>> * * Add "user adder" permission/privilege/role for users who will be
>> able to create stageusers
>>
>> That's about as far as I got before I realized some of the plugin
>> pieces weren't working, and then fixed the python plugin followed by
>> working on the UI plugin and finding this problem.  I'll go wipe and
>> reinstall the system again and walk through the steps, but test the UI
>> first and in between to see if I can find which of the steps might be
>> causing things to hiccup.
>>
>> On Wed, Jan 25, 2017 at 1:42 PM, Pavel Vomacka  wrote:
>>> Hello Steve,
>>>
>>> I tried to reproduce what you described on the very same version of
>>> ipa-server and I was not successful. Actually I was not used your back-end
>>> plugin. I tried it with no plugin and then with your UI plugin and both
>>> worked correctly. Did you do any other changes somewhere in your
>>> installation?
>>>
>>> I will try it again also with your Python plugin and we'll see.
>>>
>>>
>>> On 01/24/2017 08:59 PM, Steve Huston wrote:

 And now I'm convinced this has nothing to do with my plugin and
 instead is a bug somewhere in FreeIPA.

 I removed the entirety of the "astrocustom" plugin that I wrote,
 restarted httpd, and force reloaded the page in chrome.  I clicked to
 add a new user, gave the basic information, and clicked "add and
 edit".  The bottom of the page shows the "Employee information" on the
 left side bottom, and the manager drop-down is empty.  I entered '1'
 in the "employee type" field and clicked save, and now "Employee
 

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

[Steve Huston]

Just did it again with the same result.  Reinstalled the machine, then
did a 'yum install ipa-server python2-ipaserver httpd' which pulled in
version 4.4.0-14.el7_3.4 and a bunch of other packages.  Next was the
ipa-server-install as I used before, only without --mkhomedir this
time.  After entering the passwords for directory administrator and
the admin user, I then logged in to the web interface, immediately
clicked "add" and added a user 'foobar'.  When I clicked "add and
edit" and was brought to the user information page, it looks like this
at the bottom:

https://www.dropbox.com/s/e67j8rdaq9wvkni/Screenshot%202017-01-26%2011.33.03.png?dl=0

I then entered an employee number of '0001' just to give something to
save, and clicked save.  The screen now shows this (I've clicked the
drop-down on the manager field so the choices are visible):

https://www.dropbox.com/s/oxmqwf2rsz15grd/Screenshot%202017-01-26%2011.33.58.png?dl=0

Holding shift and clicking reload, the page now looks like this (the
employee number field is also blank again):

https://www.dropbox.com/s/f8ptycnetvsxjnb/Screenshot%202017-01-26%2011.35.03.png?dl=0

Since we do run a repackaged distribution here (Springdale Linux), I
just unpacked ipa-server-common from our repository with the above
version, and 
http://mirror.centos.org/centos/7/updates/x86_64/Packages/ipa-server-common-4.4.0-14.el7.centos.4.noarch.rpm,
and 'diff' found zero differences between them.  Unlikely, but I
wanted to rule out a packaging error causing the problem.

On Wed, Jan 25, 2017 at 4:12 PM, Steve Huston
 wrote:
> No, that should be all of the major changes; the puppet module that
> installs things only puts the two plugin files in their respective
> places.  The client part of the IPA module makes changes to have the
> machine join the domain and whatnot, but those shouldn't affect the
> webui.
>
> I do modify the schema by adding some attribute types for Puppet,
> namely puppetClass, parentNode, environment, puppetVar, and the object
> class puppetClient.  That's basically right from one of the Puppet
> webpages and also worked in the past - and is one of the things the
> python plugin does, add the appropriate objectclass to host entries if
> puppetVar is added to a host entry.
>
> My steps to install:
> * ipa-server-install --realm= --domain= --mkhomedir
> --hostname= --no-host-dns
> * ldapmodify -ZZ -h localhost -x -D 'cn=Directory Manager' -W
>   < paste puppet schema changes>
>   < paste DN entry for uid=hostadder,cn=sysaccounts,cn=etc... - a
> service account used by puppet for adding hosts to IPA >
> * login to web UI
> * * Change home directory base, default shell, default SELinux user
> * * Add SELinux user map for staff/sysadmin users
> * * Add "user adder" permission/privilege/role for users who will be
> able to create stageusers
>
> That's about as far as I got before I realized some of the plugin
> pieces weren't working, and then fixed the python plugin followed by
> working on the UI plugin and finding this problem.  I'll go wipe and
> reinstall the system again and walk through the steps, but test the UI
> first and in between to see if I can find which of the steps might be
> causing things to hiccup.
>
> On Wed, Jan 25, 2017 at 1:42 PM, Pavel Vomacka  wrote:
>> Hello Steve,
>>
>> I tried to reproduce what you described on the very same version of
>> ipa-server and I was not successful. Actually I was not used your back-end
>> plugin. I tried it with no plugin and then with your UI plugin and both
>> worked correctly. Did you do any other changes somewhere in your
>> installation?
>>
>> I will try it again also with your Python plugin and we'll see.
>>
>>
>> On 01/24/2017 08:59 PM, Steve Huston wrote:
>>>
>>> And now I'm convinced this has nothing to do with my plugin and
>>> instead is a bug somewhere in FreeIPA.
>>>
>>> I removed the entirety of the "astrocustom" plugin that I wrote,
>>> restarted httpd, and force reloaded the page in chrome.  I clicked to
>>> add a new user, gave the basic information, and clicked "add and
>>> edit".  The bottom of the page shows the "Employee information" on the
>>> left side bottom, and the manager drop-down is empty.  I entered '1'
>>> in the "employee type" field and clicked save, and now "Employee
>>> Information" is on the right side directly under "Contact settings",
>>> and the manager drop-down is populated with the list of UIDs on the
>>> system.
>>>
>>> When the UI is in the failed state, the "email address" field is also
>>> blank, but when things switch to how they should be (after submitting
>>> a change) it is populated with the email address in the record.  I
>>> just tested by adding a telephone number to the record, and that also
>>> made the contact information and employee information facets refresh
>>> with the proper data.  Pressing shift-reload again makes all the
>>> information disappear (including the telephone number I just entered).

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

[Steve Huston]

No, that should be all of the major changes; the puppet module that
installs things only puts the two plugin files in their respective
places.  The client part of the IPA module makes changes to have the
machine join the domain and whatnot, but those shouldn't affect the
webui.

I do modify the schema by adding some attribute types for Puppet,
namely puppetClass, parentNode, environment, puppetVar, and the object
class puppetClient.  That's basically right from one of the Puppet
webpages and also worked in the past - and is one of the things the
python plugin does, add the appropriate objectclass to host entries if
puppetVar is added to a host entry.

My steps to install:
* ipa-server-install --realm= --domain= --mkhomedir
--hostname= --no-host-dns
* ldapmodify -ZZ -h localhost -x -D 'cn=Directory Manager' -W
  < paste puppet schema changes>
  < paste DN entry for uid=hostadder,cn=sysaccounts,cn=etc... - a
service account used by puppet for adding hosts to IPA >
* login to web UI
* * Change home directory base, default shell, default SELinux user
* * Add SELinux user map for staff/sysadmin users
* * Add "user adder" permission/privilege/role for users who will be
able to create stageusers

That's about as far as I got before I realized some of the plugin
pieces weren't working, and then fixed the python plugin followed by
working on the UI plugin and finding this problem.  I'll go wipe and
reinstall the system again and walk through the steps, but test the UI
first and in between to see if I can find which of the steps might be
causing things to hiccup.

On Wed, Jan 25, 2017 at 1:42 PM, Pavel Vomacka  wrote:
> Hello Steve,
>
> I tried to reproduce what you described on the very same version of
> ipa-server and I was not successful. Actually I was not used your back-end
> plugin. I tried it with no plugin and then with your UI plugin and both
> worked correctly. Did you do any other changes somewhere in your
> installation?
>
> I will try it again also with your Python plugin and we'll see.
>
>
> On 01/24/2017 08:59 PM, Steve Huston wrote:
>>
>> And now I'm convinced this has nothing to do with my plugin and
>> instead is a bug somewhere in FreeIPA.
>>
>> I removed the entirety of the "astrocustom" plugin that I wrote,
>> restarted httpd, and force reloaded the page in chrome.  I clicked to
>> add a new user, gave the basic information, and clicked "add and
>> edit".  The bottom of the page shows the "Employee information" on the
>> left side bottom, and the manager drop-down is empty.  I entered '1'
>> in the "employee type" field and clicked save, and now "Employee
>> Information" is on the right side directly under "Contact settings",
>> and the manager drop-down is populated with the list of UIDs on the
>> system.
>>
>> When the UI is in the failed state, the "email address" field is also
>> blank, but when things switch to how they should be (after submitting
>> a change) it is populated with the email address in the record.  I
>> just tested by adding a telephone number to the record, and that also
>> made the contact information and employee information facets refresh
>> with the proper data.  Pressing shift-reload again makes all the
>> information disappear (including the telephone number I just entered).
>>
>> This is with ipa-server-4.4.0-14.el7_3.4
>>
>>
>> On Mon, Jan 23, 2017 at 1:55 PM, Steve Huston
>>  wrote:
>>>
>>> Just tested again, and this is still baffling:
>>>
>>> * Create a stage user with the right data, works fine, can be edited.
>>> * Enable that user, and now the two fields ('manager' and
>>> 'employeeType') appear to have bogus data in the UI, and I cannot save
>>> the page without changing them to something else.
>>> * Once that user is saved, the "Employee Information" facet moves to
>>> the right side of the page, and now shows not only the current data in
>>> the manager drop down but also the other choices (uids).  Change the
>>> value of manager and employeetype back to what they were previously
>>> and it saves.
>>> * An ldapsearch run when the user is first created (as the directory
>>> manager), and after having two edits (one to change the values to
>>> something else to let the webui save them, and one to change them back
>>> to what they should be and were the first time) produce completely
>>> identical results.
>>> * The output of "ipa user-show  --all --raw" is also identical at
>>> those same steps.
>>>
>>> So something, somewhere, is being saved in a way that prevents the
>>> webui from displaying them properly, that gets fixed when those values
>>> are manually changed via the webui.
>>>
>>> On Thu, Jan 19, 2017 at 2:44 PM, Steve Huston
>>>  wrote:

 Even more interesting...

 I tried to modify one of the records that was not displaying properly
 in the "active users" group, and sure enough the webui complained that
 the "Requested By" (relabeled "manager") 

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

[Pavel Vomacka]

Hello Steve,

I tried to reproduce what you described on the very same version of 
ipa-server and I was not successful. Actually I was not used your 
back-end plugin. I tried it with no plugin and then with your UI plugin 
and both worked correctly. Did you do any other changes somewhere in 
your installation?


I will try it again also with your Python plugin and we'll see.

On 01/24/2017 08:59 PM, Steve Huston wrote:

And now I'm convinced this has nothing to do with my plugin and
instead is a bug somewhere in FreeIPA.

I removed the entirety of the "astrocustom" plugin that I wrote,
restarted httpd, and force reloaded the page in chrome.  I clicked to
add a new user, gave the basic information, and clicked "add and
edit".  The bottom of the page shows the "Employee information" on the
left side bottom, and the manager drop-down is empty.  I entered '1'
in the "employee type" field and clicked save, and now "Employee
Information" is on the right side directly under "Contact settings",
and the manager drop-down is populated with the list of UIDs on the
system.

When the UI is in the failed state, the "email address" field is also
blank, but when things switch to how they should be (after submitting
a change) it is populated with the email address in the record.  I
just tested by adding a telephone number to the record, and that also
made the contact information and employee information facets refresh
with the proper data.  Pressing shift-reload again makes all the
information disappear (including the telephone number I just entered).

This is with ipa-server-4.4.0-14.el7_3.4


On Mon, Jan 23, 2017 at 1:55 PM, Steve Huston
 wrote:

Just tested again, and this is still baffling:

* Create a stage user with the right data, works fine, can be edited.
* Enable that user, and now the two fields ('manager' and
'employeeType') appear to have bogus data in the UI, and I cannot save
the page without changing them to something else.
* Once that user is saved, the "Employee Information" facet moves to
the right side of the page, and now shows not only the current data in
the manager drop down but also the other choices (uids).  Change the
value of manager and employeetype back to what they were previously
and it saves.
* An ldapsearch run when the user is first created (as the directory
manager), and after having two edits (one to change the values to
something else to let the webui save them, and one to change them back
to what they should be and were the first time) produce completely
identical results.
* The output of "ipa user-show  --all --raw" is also identical at
those same steps.

So something, somewhere, is being saved in a way that prevents the
webui from displaying them properly, that gets fixed when those values
are manually changed via the webui.

On Thu, Jan 19, 2017 at 2:44 PM, Steve Huston
 wrote:

Even more interesting...

I tried to modify one of the records that was not displaying properly
in the "active users" group, and sure enough the webui complained that
the "Requested By" (relabeled "manager") field was not filled in since
it was blank.  It also, however, complained that the "User tier"
(relabeled "employeetype") was incorrect, even though it showed the
label associated with the value 1.  I clicked the search drop-down for
manager, typed in my own uid, and even though everything had been
blank in the drop down before now my uid showed up.  I clicked on it,
and my uid was now in the manager field.  I then clicked the drop down
for employeetype, and chose one of the other options.  I was now able
to save the changes to the record.

Upon reloading the page, the "Employee Information" facet now shoed up
on the right side bottom, instead of the left side bottom where it was
appearing.  I was also now able to change the drop-down fields for
manager and employeetype to another value, and save them, and they
worked fine even filling in all the data that should have been there.
This almost seemed like the data being returned by the server was
flawed somehow, and confusing the webui, but once it was forced to
have the right data and re-saved it worked fine subsequently.

I looked at the output of "ipa user-show  --all --raw" both
before and after making such changes on a user, and can detect no
difference between them.

On Thu, Jan 19, 2017 at 1:14 PM, Alexander Bokovoy  wrote:

On to, 19 tammi 2017, Steve Huston wrote:

On Thu, Jan 19, 2017 at 11:16 AM, Alexander Bokovoy 
wrote:

In short, FreeIPA 4.2 -> 4.4 change was by splitting server and client
side plugins into different paths (ipaserver/plugins and
ipaclient/plugins instead of being common in ipalib/plugins). The client
code was also changed to always read metadata about API from the server
side. This means the client can adopt to any server version that
supports API metadata.


Right, and I think that the most of the plugin I had belongs

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

[Steve Huston]

And now I'm convinced this has nothing to do with my plugin and
instead is a bug somewhere in FreeIPA.

I removed the entirety of the "astrocustom" plugin that I wrote,
restarted httpd, and force reloaded the page in chrome.  I clicked to
add a new user, gave the basic information, and clicked "add and
edit".  The bottom of the page shows the "Employee information" on the
left side bottom, and the manager drop-down is empty.  I entered '1'
in the "employee type" field and clicked save, and now "Employee
Information" is on the right side directly under "Contact settings",
and the manager drop-down is populated with the list of UIDs on the
system.

When the UI is in the failed state, the "email address" field is also
blank, but when things switch to how they should be (after submitting
a change) it is populated with the email address in the record.  I
just tested by adding a telephone number to the record, and that also
made the contact information and employee information facets refresh
with the proper data.  Pressing shift-reload again makes all the
information disappear (including the telephone number I just entered).

This is with ipa-server-4.4.0-14.el7_3.4


On Mon, Jan 23, 2017 at 1:55 PM, Steve Huston
 wrote:
> Just tested again, and this is still baffling:
>
> * Create a stage user with the right data, works fine, can be edited.
> * Enable that user, and now the two fields ('manager' and
> 'employeeType') appear to have bogus data in the UI, and I cannot save
> the page without changing them to something else.
> * Once that user is saved, the "Employee Information" facet moves to
> the right side of the page, and now shows not only the current data in
> the manager drop down but also the other choices (uids).  Change the
> value of manager and employeetype back to what they were previously
> and it saves.
> * An ldapsearch run when the user is first created (as the directory
> manager), and after having two edits (one to change the values to
> something else to let the webui save them, and one to change them back
> to what they should be and were the first time) produce completely
> identical results.
> * The output of "ipa user-show  --all --raw" is also identical at
> those same steps.
>
> So something, somewhere, is being saved in a way that prevents the
> webui from displaying them properly, that gets fixed when those values
> are manually changed via the webui.
>
> On Thu, Jan 19, 2017 at 2:44 PM, Steve Huston
>  wrote:
>> Even more interesting...
>>
>> I tried to modify one of the records that was not displaying properly
>> in the "active users" group, and sure enough the webui complained that
>> the "Requested By" (relabeled "manager") field was not filled in since
>> it was blank.  It also, however, complained that the "User tier"
>> (relabeled "employeetype") was incorrect, even though it showed the
>> label associated with the value 1.  I clicked the search drop-down for
>> manager, typed in my own uid, and even though everything had been
>> blank in the drop down before now my uid showed up.  I clicked on it,
>> and my uid was now in the manager field.  I then clicked the drop down
>> for employeetype, and chose one of the other options.  I was now able
>> to save the changes to the record.
>>
>> Upon reloading the page, the "Employee Information" facet now shoed up
>> on the right side bottom, instead of the left side bottom where it was
>> appearing.  I was also now able to change the drop-down fields for
>> manager and employeetype to another value, and save them, and they
>> worked fine even filling in all the data that should have been there.
>> This almost seemed like the data being returned by the server was
>> flawed somehow, and confusing the webui, but once it was forced to
>> have the right data and re-saved it worked fine subsequently.
>>
>> I looked at the output of "ipa user-show  --all --raw" both
>> before and after making such changes on a user, and can detect no
>> difference between them.
>>
>> On Thu, Jan 19, 2017 at 1:14 PM, Alexander Bokovoy  
>> wrote:
>>> On to, 19 tammi 2017, Steve Huston wrote:

 On Thu, Jan 19, 2017 at 11:16 AM, Alexander Bokovoy 
 wrote:
>
> In short, FreeIPA 4.2 -> 4.4 change was by splitting server and client
> side plugins into different paths (ipaserver/plugins and
> ipaclient/plugins instead of being common in ipalib/plugins). The client
> code was also changed to always read metadata about API from the server
> side. This means the client can adopt to any server version that
> supports API metadata.


 Right, and I think that the most of the plugin I had belongs
 server-side; in fact, that's where I migrated it to, and things work
 fine.  I haven't tested if I can change those values with the cli, but
 I'm less concerned about that at the moment.

> In my sample external 

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

[Steve Huston]

Just tested again, and this is still baffling:

* Create a stage user with the right data, works fine, can be edited.
* Enable that user, and now the two fields ('manager' and
'employeeType') appear to have bogus data in the UI, and I cannot save
the page without changing them to something else.
* Once that user is saved, the "Employee Information" facet moves to
the right side of the page, and now shows not only the current data in
the manager drop down but also the other choices (uids).  Change the
value of manager and employeetype back to what they were previously
and it saves.
* An ldapsearch run when the user is first created (as the directory
manager), and after having two edits (one to change the values to
something else to let the webui save them, and one to change them back
to what they should be and were the first time) produce completely
identical results.
* The output of "ipa user-show  --all --raw" is also identical at
those same steps.

So something, somewhere, is being saved in a way that prevents the
webui from displaying them properly, that gets fixed when those values
are manually changed via the webui.

On Thu, Jan 19, 2017 at 2:44 PM, Steve Huston
 wrote:
> Even more interesting...
>
> I tried to modify one of the records that was not displaying properly
> in the "active users" group, and sure enough the webui complained that
> the "Requested By" (relabeled "manager") field was not filled in since
> it was blank.  It also, however, complained that the "User tier"
> (relabeled "employeetype") was incorrect, even though it showed the
> label associated with the value 1.  I clicked the search drop-down for
> manager, typed in my own uid, and even though everything had been
> blank in the drop down before now my uid showed up.  I clicked on it,
> and my uid was now in the manager field.  I then clicked the drop down
> for employeetype, and chose one of the other options.  I was now able
> to save the changes to the record.
>
> Upon reloading the page, the "Employee Information" facet now shoed up
> on the right side bottom, instead of the left side bottom where it was
> appearing.  I was also now able to change the drop-down fields for
> manager and employeetype to another value, and save them, and they
> worked fine even filling in all the data that should have been there.
> This almost seemed like the data being returned by the server was
> flawed somehow, and confusing the webui, but once it was forced to
> have the right data and re-saved it worked fine subsequently.
>
> I looked at the output of "ipa user-show  --all --raw" both
> before and after making such changes on a user, and can detect no
> difference between them.
>
> On Thu, Jan 19, 2017 at 1:14 PM, Alexander Bokovoy  
> wrote:
>> On to, 19 tammi 2017, Steve Huston wrote:
>>>
>>> On Thu, Jan 19, 2017 at 11:16 AM, Alexander Bokovoy 
>>> wrote:

 In short, FreeIPA 4.2 -> 4.4 change was by splitting server and client
 side plugins into different paths (ipaserver/plugins and
 ipaclient/plugins instead of being common in ipalib/plugins). The client
 code was also changed to always read metadata about API from the server
 side. This means the client can adopt to any server version that
 supports API metadata.
>>>
>>>
>>> Right, and I think that the most of the plugin I had belongs
>>> server-side; in fact, that's where I migrated it to, and things work
>>> fine.  I haven't tested if I can change those values with the cli, but
>>> I'm less concerned about that at the moment.
>>>
 In my sample external plugin you referenced above you can see that I
 have client-side change that replaces an input string by a file
 reference so that a file can supplied instead of typing the content of
 the file on the command line. This is one of most used patterns for
 client side plugins.
>>>
>>>
>>> In this case, my biggest problem is with the web UI.  The 'manager'
>>> drop down (which I have renamed through the UI plugins to "Requested
>>> By" to show what user requested and is responsible for this account)
>>> works fine in the 'add/modify stageuser' context, but not at all in
>>> the adduser/moduser context, and I can't seem to find out why.
>>
>> I'll defer answer for this to our web UI wizards but they would need to
>> see your code to help, I'd guess.
>>
>> --
>> / Alexander Bokovoy
>
>
>
> --
> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
>   Princeton University  |ICBM Address: 40.346344   -74.652242
> 345 Lewis Library   |"On my ship, the Rocinante, wheeling through
>   Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
> (267) 793-0852  | headlong into mystery."  -Rush, 'Cygnus X-1'



-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |ICBM Address: 40.346344   -74.652242
345 Lewis Library   |"On my ship, 

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

[Steve Huston]

Even more interesting...

I tried to modify one of the records that was not displaying properly
in the "active users" group, and sure enough the webui complained that
the "Requested By" (relabeled "manager") field was not filled in since
it was blank.  It also, however, complained that the "User tier"
(relabeled "employeetype") was incorrect, even though it showed the
label associated with the value 1.  I clicked the search drop-down for
manager, typed in my own uid, and even though everything had been
blank in the drop down before now my uid showed up.  I clicked on it,
and my uid was now in the manager field.  I then clicked the drop down
for employeetype, and chose one of the other options.  I was now able
to save the changes to the record.

Upon reloading the page, the "Employee Information" facet now shoed up
on the right side bottom, instead of the left side bottom where it was
appearing.  I was also now able to change the drop-down fields for
manager and employeetype to another value, and save them, and they
worked fine even filling in all the data that should have been there.
This almost seemed like the data being returned by the server was
flawed somehow, and confusing the webui, but once it was forced to
have the right data and re-saved it worked fine subsequently.

I looked at the output of "ipa user-show  --all --raw" both
before and after making such changes on a user, and can detect no
difference between them.

On Thu, Jan 19, 2017 at 1:14 PM, Alexander Bokovoy  wrote:
> On to, 19 tammi 2017, Steve Huston wrote:
>>
>> On Thu, Jan 19, 2017 at 11:16 AM, Alexander Bokovoy 
>> wrote:
>>>
>>> In short, FreeIPA 4.2 -> 4.4 change was by splitting server and client
>>> side plugins into different paths (ipaserver/plugins and
>>> ipaclient/plugins instead of being common in ipalib/plugins). The client
>>> code was also changed to always read metadata about API from the server
>>> side. This means the client can adopt to any server version that
>>> supports API metadata.
>>
>>
>> Right, and I think that the most of the plugin I had belongs
>> server-side; in fact, that's where I migrated it to, and things work
>> fine.  I haven't tested if I can change those values with the cli, but
>> I'm less concerned about that at the moment.
>>
>>> In my sample external plugin you referenced above you can see that I
>>> have client-side change that replaces an input string by a file
>>> reference so that a file can supplied instead of typing the content of
>>> the file on the command line. This is one of most used patterns for
>>> client side plugins.
>>
>>
>> In this case, my biggest problem is with the web UI.  The 'manager'
>> drop down (which I have renamed through the UI plugins to "Requested
>> By" to show what user requested and is responsible for this account)
>> works fine in the 'add/modify stageuser' context, but not at all in
>> the adduser/moduser context, and I can't seem to find out why.
>
> I'll defer answer for this to our web UI wizards but they would need to
> see your code to help, I'd guess.
>
> --
> / Alexander Bokovoy



-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |ICBM Address: 40.346344   -74.652242
345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852  | headlong into mystery."  -Rush, 'Cygnus X-1'

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

[Alexander Bokovoy]

On to, 19 tammi 2017, Steve Huston wrote:

On Thu, Jan 19, 2017 at 11:16 AM, Alexander Bokovoy  wrote:

In short, FreeIPA 4.2 -> 4.4 change was by splitting server and client
side plugins into different paths (ipaserver/plugins and
ipaclient/plugins instead of being common in ipalib/plugins). The client
code was also changed to always read metadata about API from the server
side. This means the client can adopt to any server version that
supports API metadata.


Right, and I think that the most of the plugin I had belongs
server-side; in fact, that's where I migrated it to, and things work
fine.  I haven't tested if I can change those values with the cli, but
I'm less concerned about that at the moment.


In my sample external plugin you referenced above you can see that I
have client-side change that replaces an input string by a file
reference so that a file can supplied instead of typing the content of
the file on the command line. This is one of most used patterns for
client side plugins.


In this case, my biggest problem is with the web UI.  The 'manager'
drop down (which I have renamed through the UI plugins to "Requested
By" to show what user requested and is responsible for this account)
works fine in the 'add/modify stageuser' context, but not at all in
the adduser/moduser context, and I can't seem to find out why.

I'll defer answer for this to our web UI wizards but they would need to
see your code to help, I'd guess.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

[Steve Huston]

On Thu, Jan 19, 2017 at 11:16 AM, Alexander Bokovoy  wrote:
> In short, FreeIPA 4.2 -> 4.4 change was by splitting server and client
> side plugins into different paths (ipaserver/plugins and
> ipaclient/plugins instead of being common in ipalib/plugins). The client
> code was also changed to always read metadata about API from the server
> side. This means the client can adopt to any server version that
> supports API metadata.

Right, and I think that the most of the plugin I had belongs
server-side; in fact, that's where I migrated it to, and things work
fine.  I haven't tested if I can change those values with the cli, but
I'm less concerned about that at the moment.

> In my sample external plugin you referenced above you can see that I
> have client-side change that replaces an input string by a file
> reference so that a file can supplied instead of typing the content of
> the file on the command line. This is one of most used patterns for
> client side plugins.

In this case, my biggest problem is with the web UI.  The 'manager'
drop down (which I have renamed through the UI plugins to "Requested
By" to show what user requested and is responsible for this account)
works fine in the 'add/modify stageuser' context, but not at all in
the adduser/moduser context, and I can't seem to find out why.

-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |ICBM Address: 40.346344   -74.652242
345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852  | headlong into mystery."  -Rush, 'Cygnus X-1'

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

[Alexander Bokovoy]

Steve,

On to, 19 tammi 2017, Steve Huston wrote:

I'm running a RHEL derivative (Springdale Linux) and discovered that
between 7.2 and 7.3 there were quite a few changes, one of which was
the version of FreeIPA installed.  Fortunately my server is still in
the testing phase, and I hadn't finished things for deployment yet.  I
discovered that plugins changed drastically some time in 4.4.x, and
seemed to have found how to modify the plugin I wrote to function
again:

  http://www.astro.princeton.edu/~huston/astrocustom/

The basics are that we add puppetvar and owner to hosts, and the
majority of changes are rebranding existing attributes to fit our
environment better for the AAs that will have access to add stage
users.  So far, that is all working fine - on the add stage user
pop-up, everything looks as expected, and on the mod stageuser page
everything works there as well.  However, I am trying to copy some of
these changes to the regular user page, and finding they're not
working at all; for example, the "manager" field works fine on the
adduser pop-up, but on the moduser page it is blank and errors for not
having a proper value set when trying to save changes.  Interestingly
the "employee type" (renamed "User tier") shows up fine, and it too
was basically a copy from the mod stageuser section so I'm not sure
why one works and one doesn't.

It also seems most of the documentation I'd found previously to talk
about writing plugins hasn't been updated for the new systems - I did
find the pages at https://github.com/abbra/freeipa-desktop-profile/
but I wasn't able to follow them well or figure out how/if they
applied to my case.


In short, FreeIPA 4.2 -> 4.4 change was by splitting server and client
side plugins into different paths (ipaserver/plugins and
ipaclient/plugins instead of being common in ipalib/plugins). The client
code was also changed to always read metadata about API from the server
side. This means the client can adopt to any server version that
supports API metadata.

In my sample external plugin you referenced above you can see that I
have client-side change that replaces an input string by a file
reference so that a file can supplied instead of typing the content of
the file on the command line. This is one of most used patterns for
client side plugins.

We haven't yet qualified FreeIPA Python API for plugins as supported
one. One of reasons is that we continue shaping it up and we still lack
proper documentation for them.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project