On 1/17/22 10:59 AM, Rob Crittenden wrote:
Scott Serr via FreeIPA-users wrote:
> On 1/12/22 11:43 AM, Rob Crittenden wrote:
>
>> Scott Serr via FreeIPA-users wrote:
>>> Attributes in the Employee Information section of the user web page
>>> are blank following a series of OS/IPA updates.
>>> The "ipa user-find --all" cli command shows these attributes fine.
>>>
>>> Specifically (in my case):
>>> Department Number
>>> Employee Number
>>> Employee Type
>>>
>>> I'm wondering if anyone else has seen this. Trying to find a small
>>> test case, I've found 1 of my development VMs that has some
>>> snapshots. It's Rocky 8. It has seen OS/IPA updates frequently in
>>> the last month. This VM also has a snapshot on December 8th.
>>>
>>> Now I have 3 clones of this VM (at different snapshot times):
>>> dev-current -- fails to show these attributes on user web page
>>> dev-dec8 -- shows these attributes
>>> dev-dec8-updated-to-current -- shows these attributes
>>>
>>> The system is mainly used to test updates, data remains the same.
>>> The only difference I can think of is "dev-current" has had
>>> *incremental* OS/IPA updates between Dec 8th and now.
>>>
>>> I'm combing through a filesystem diff, trying to figure out why they
>>> behave differently, /usr/share/ipa appears to be the same. Something
>>> else odd: "dev-current" has a new section "User attributes for
SMB
>>> services" on the user web page. The dev-dec8 and
>>> dev-dec8-updated-to-current states/VMs don't have this section on the
>>> user web page.
>>>
>>> Interested in any troubleshooting ideas, or ideas of why this is
>>> happening.
>>>
>>> Thank you,
>>> Scott
>>>
>>> dnf.log shows dev-current had an update to 4.9.6-6 that the other clone
>>> (dev-dec8-updated) did not.
>>> It looks like 4.9.6-6, although replaced has created this lingering problem.
>>>
>>> dev-dec8-updated
>>> 2021-11-04T12:48:27-0600 DEBUG Upgraded:
>>> ipa-server-4.9.2-4.module+el8.4.0+664+1636a961.x86_64
>>> 2022-01-11T12:07:55-0700 DEBUG Upgraded:
>>> ipa-server-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64
>>>
>>> dev-current
>>> 2021-11-04T12:48:27-0600 DEBUG Upgraded:
>>> ipa-server-4.9.2-4.module+el8.4.0+664+1636a961.x86_64
>>> 2021-12-08T11:34:23-0700 DEBUG Upgraded:
>>> ipa-server-4.9.6-6.module+el8.5.0+675+61f67439.x86_64
>>> 2021-12-21T09:55:41-0700 DEBUG Upgraded:
>>> ipa-server-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64
>>>
>> I don't quite follow what you're trying to ask. Are these two separate
>> systems? Do both show the same behavior?
>>
>> Does the information show in the cli? ipa user-show --all someuser
>>
>> Do/did you have any custom plugins?
>>
>> What exact attributes are not displaying?
>>
>> rob
>>
> I'm sorry Rob, yesterday my web email client didn't do well with
> threading, I've tried to fix the thread.
>
> These are clones of the same system, early on Dec 8th they were the same
> and since then took 2 different upgrade paths. (I only power up 1 at a
> time because of IPs and hostnames)
>
> dev-dec8-updated
> 2021-11-04T12:48:27-0600 DEBUG Upgraded: ipa-server-4.9.2-4
> 2022-01-11T12:07:55-0700 DEBUG Upgraded: ipa-server-4.9.6-10
>
> dev-current
> 2021-11-04T12:48:27-0600 DEBUG Upgraded: ipa-server-4.9.2-4
> 2021-12-08T11:34:23-0700 DEBUG Upgraded: ipa-server-4.9.6-6
> 2021-12-21T09:55:41-0700 DEBUG Upgraded: ipa-server-4.9.6-10
>
> The "dev-current" has gone down a different upgrade path from
"dev-dec8-updated" but they arrive at the same place (4.9.6-10). It appears
that 4.9.6-6 has caused the issue. The issue being those attributes in Employee
Information section of the web page.
>
> These clone VMs did have a simple custom plugin. It was
/usr/share/ipa/ui/js/plugins/myplugin/myplugin.js. I removing the custom plugin (from
dev-current), but that didn't fix the missing attributes on the web page. Maybe there
is some caching that I need to clear. Very well could be something from our custom
plugin, is there anything tricky to back it out?
>
> "ipa user-show --all me" shows Employee Type, Employee Number, and
Department Number properly.
I'm at a loss. The best I can suggest is to try the browser debugger to
see if you can tell what is happening. The data should be available
based on the cli (the ui uses the same interfaces).
As for removing it I think that removing the javascript, restarting
Apache and doing a force reload in the browser should do it.
rob
Rob, this may surprise you, it did me.
I set out to create a brand new replica on our production cluster. My
intent was to disconnect it from the cluster and do tests. I was not
able to do make the replica, I kept getting errors running
ipa-replica-install. I saw:
ipa: ERROR: Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)
I had to fix this before I could continue. You are well aware of the
recent issue:
Bug 2006070 - Upgrades incorrectly add secret attribute to connectors
https://bugzilla.redhat.com/show_bug.cgi?id=2006070
(First, I found at least 4 threads on this mailing list directly
connected to this issue. I'm thankful!)
I saw that my VM clone (discussed above in the thread) that skipped over
ipa-server-4.9.6-6 update, only had secret= and did not have
requiredSecret=. I removed requiredSecret from a member of the
production cluster. PKI/certs worked! And low and behold, my web
interface now shows attribute values for Employee Type, Employee Number,
and Department Number. It also no longer shows the SMB section, like we
are used to.
(In our environment we don't make use of PKI functionality on our
clients yet, otherwise I'd probably notice this breakage much earlier.)
I'm hopeful this clears up all my issues. I wanted the list to know the
fix.
Thanks for you help!
Scott