Hi Scott,
we had a similar issue one year ago. When IPA was deployed in CA-less mode, only parts of the "user" web page were properly filled:
#8203 User page on WebUi only has half the information in CA-less install
Bug 1835853 - No user authentication type in web ui
Bug 1884819 - IdM Web UI shows users as disabled

The above issues were fixed (don't try to call PKI api if PKI is not installed) but we are probably not handling properly the case where calls to PKI throw exceptions.
Thanks for your description of the issue and resolution as it will help us improve the robustness. The issue has been reported at #9090 WebUI does not display all the user's attributes when it fails to communicate with PKI server.


On Thu, Jan 20, 2022 at 8:52 PM Scott Serr via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

On 1/17/22 10:59 AM, Rob Crittenden wrote:
> Scott Serr via FreeIPA-users wrote:
>> On 1/12/22 11:43 AM, Rob Crittenden wrote:
>>> Scott Serr via FreeIPA-users wrote:
>>>> Attributes in the Employee Information section of the user web page
>>>> are blank following a series of OS/IPA updates.
>>>> The "ipa user-find --all" cli command shows these attributes fine.
>>>> Specifically (in my case):
>>>>    Department Number
>>>>    Employee Number
>>>>    Employee Type
>>>> I'm wondering if anyone else has seen this.  Trying to find a small
>>>> test case, I've found 1 of my development VMs that has some
>>>> snapshots.  It's Rocky 8.  It has seen OS/IPA updates frequently in
>>>> the last month.  This VM also has a snapshot on December 8th.
>>>> Now I have 3 clones of this VM (at different snapshot times):
>>>> dev-current  --  fails to show these attributes on user web page
>>>> dev-dec8  --  shows these attributes
>>>> dev-dec8-updated-to-current  --  shows these attributes
>>>> The system is mainly used to test updates, data remains the same.
>>>> The only difference I can think of is "dev-current" has had
>>>> *incremental* OS/IPA updates between Dec 8th and now.
>>>> I'm combing through a filesystem diff, trying to figure out why they
>>>> behave differently, /usr/share/ipa appears to be the same.  Something
>>>> else odd: "dev-current" has a new section "User attributes for SMB
>>>> services" on the user web page.  The dev-dec8 and
>>>> dev-dec8-updated-to-current states/VMs don't have this section on the
>>>> user web page.
>>>> Interested in any troubleshooting ideas, or ideas of why this is
>>>> happening.
>>>> Thank you,
>>>> Scott
>>>> dnf.log shows dev-current had an update to 4.9.6-6 that the other clone
>>>> (dev-dec8-updated) did not.
>>>> It looks like 4.9.6-6, although replaced has created this lingering problem.
>>>> dev-dec8-updated
>>>> 2021-11-04T12:48:27-0600 DEBUG Upgraded:
>>>> ipa-server-4.9.2-4.module+el8.4.0+664+1636a961.x86_64
>>>> 2022-01-11T12:07:55-0700 DEBUG Upgraded:
>>>> ipa-server-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64
>>>> dev-current
>>>> 2021-11-04T12:48:27-0600 DEBUG Upgraded:
>>>> ipa-server-4.9.2-4.module+el8.4.0+664+1636a961.x86_64
>>>> 2021-12-08T11:34:23-0700 DEBUG Upgraded:
>>>> ipa-server-4.9.6-6.module+el8.5.0+675+61f67439.x86_64
>>>> 2021-12-21T09:55:41-0700 DEBUG Upgraded:
>>>> ipa-server-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64
>>> I don't quite follow what you're trying to ask. Are these two separate
>>> systems? Do both show the same behavior?
>>> Does the information show in the cli? ipa user-show --all someuser
>>> Do/did you have any custom plugins?
>>> What exact attributes are not displaying?
>>> rob
>> I'm sorry Rob, yesterday my web email client didn't do well with
>> threading, I've tried to fix the thread.
>> These are clones of the same system, early on Dec 8th they were the same
>> and since then took 2 different upgrade paths.  (I only power up 1 at a
>> time because of IPs and hostnames)
>> dev-dec8-updated
>> 2021-11-04T12:48:27-0600 DEBUG Upgraded: ipa-server-4.9.2-4
>> 2022-01-11T12:07:55-0700 DEBUG Upgraded: ipa-server-4.9.6-10
>> dev-current
>> 2021-11-04T12:48:27-0600 DEBUG Upgraded: ipa-server-4.9.2-4
>> 2021-12-08T11:34:23-0700 DEBUG Upgraded: ipa-server-4.9.6-6
>> 2021-12-21T09:55:41-0700 DEBUG Upgraded: ipa-server-4.9.6-10
>> The "dev-current" has gone down a different upgrade path from "dev-dec8-updated" but they arrive at the same place (4.9.6-10).  It appears that 4.9.6-6 has caused the issue.  The issue being those attributes in Employee Information section of the web page.
>> These clone VMs did have a simple custom plugin.  It was /usr/share/ipa/ui/js/plugins/myplugin/myplugin.js.  I removing the custom plugin (from dev-current), but that didn't fix the missing attributes on the web page.  Maybe there is some caching that I need to clear.  Very well could be something from our custom plugin, is there anything tricky to back it out?
>> "ipa user-show --all me" shows Employee Type, Employee Number, and Department Number properly.
> I'm at a loss. The best I can suggest is to try the browser debugger to
> see if you can tell what is happening. The data should be available
> based on the cli (the ui uses the same interfaces).
> As for removing it I think that removing the javascript, restarting
> Apache and doing a force reload in the browser should do it.
> rob

Rob, this may surprise you, it did me.

I set out to create a brand new replica on our production cluster. My
intent was to disconnect it from the cluster and do tests.  I was not
able to do make the replica, I kept getting errors running
ipa-replica-install.  I saw:

ipa: ERROR: Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403.  (403)

I had to fix this before I could continue.  You are well aware of the
recent issue:

Bug 2006070 - Upgrades incorrectly add secret attribute to connectors
(First, I found at least 4 threads on this mailing list directly
connected to this issue.  I'm thankful!)

I saw that my VM clone (discussed above in the thread) that skipped over
ipa-server-4.9.6-6 update, only had secret= and did not have
requiredSecret=.  I removed requiredSecret from a member of the
production cluster.  PKI/certs worked!  And low and behold, my web
interface now shows attribute values for Employee Type, Employee Number,
and Department Number.  It also no longer shows the SMB section, like we
are used to.

(In our environment we don't make use of PKI functionality on our
clients yet, otherwise I'd probably notice this breakage much earlier.)

I'm hopeful this clears up all my issues.  I wanted the list to know the

Thanks for you help!
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure