1835853 – No user authentication type in web ui

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1835853 - No user authentication type in web ui [NEEDINFO]

Summary: No user authentication type in web ui

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	---
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Thomas Woerner
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-05-14 15:46 UTC by Leonid Kanter
Modified:	2021-11-09 23:03 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-09 18:21:53 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	stsymbal: needinfo?

Attachments	(Terms of Use)
Web UI screenshot (16.79 KB, image/png) 2020-05-14 15:46 UTC, Leonid Kanter	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7256	0	None	None	None	2021-11-09 00:36:01 UTC
Red Hat Product Errata	RHBA-2021:4230	0	None	None	None	2021-11-09 18:22:11 UTC

Description Leonid Kanter 2020-05-14 15:46:07 UTC

Created attachment 1688516 [details]
Web UI screenshot

Description of problem:

IPA Web UI doesn't show status of user authentication types (Password, RADIUS or Two factor)

Version-Release number of selected component (if applicable):

4.6.6-11.el7

How reproducible:

always (reproduced on two servers)

Steps to Reproduce:
1. open some user profile, verify that check mark is set on OTP
2. upgrade system from 7.7 to 7.8
3. open profile of the same user

Actual results:

Checkmark is missing, all three checkboxes are empty

Expected results:

Check mark is present

Additional info:

cli command "ipa show-user" show correct user authentication type

$ ipa user-show username
User authentication types: otp

Comment 2 Florence Blanc-Renaud 2020-05-14 19:07:29 UTC

Issue can be reproduced. Moreover, if the user auth type is modified in the WebGUI (for instance select Radius, click on "save", then navigate to a different page), the GUI warns "This page has unsaved changes. Please save or revert." even though the user entry has been updated and the change is visible in LDAP / ipa user-show.

Comment 3 Leonid Kanter 2020-06-03 10:25:29 UTC

Password reset and enable/disable actions also don't work from WebUI.

Comment 4 Serhii Tsymbaliuk 2020-06-19 14:09:16 UTC

Some more details are needed about the issue:

1) How do you perform the upgrade system from 7.7 to 7.8?

2) Is there any error in browser console (F12 -> Console) after user profile open?

Comment 5 Florence Blanc-Renaud 2020-06-25 16:12:29 UTC

I was able to reproduce in May (see #c2) but not anymore. The issue may also be linked to the browser version as I updated firefox in the meantime (no issue today with
firefox 77.0.1-2.fc31).

Leonid, which browser are you using?

Comment 6 Leonid Kanter 2020-06-29 13:26:13 UTC

To Serhii Tsymballiuk:

1. yum update, no errors in /var/log/ipaupgrade.log
2. no errors

To  Florence Blanc-Renaud:

I'm still able to reproduce it in Firefox-77.0.1 (fc33) and Chrome 83.0.4103.116

Comment 7 Florence Blanc-Renaud 2020-07-03 15:03:48 UTC

Hi Leonid,
my question may seem completely unrelated, but is your topology CA-less? There is an issue with displaying the data in the WebGUI in CA-less servers (https://pagure.io/freeipa/issue/8203), that may explain this behavior.

Comment 8 Leonid Kanter 2020-07-07 13:10:36 UTC

Hello Florence,

Yes, my topology is CA-less. It was initially installed with Codero CA certificates, then switched to Letsencrypt. Seems this is the issue.

Comment 9 Florence Blanc-Renaud 2020-07-07 14:56:54 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/8203

Comment 10 Florence Blanc-Renaud 2020-07-07 14:59:46 UTC

Leonid, thanks for the confirmation. I am linking the BZ with the upstream ticket. There are discussions in the upstream PR https://github.com/freeipa/freeipa/pull/4831 on the proper way to handle the issue.

Comment 11 Leonid Kanter 2020-07-07 16:01:25 UTC

Hi Florian,
If I run ipa-ca-install and add CA - will it fix the problem?

Comment 12 Florence Blanc-Renaud 2020-07-08 14:36:20 UTC

Hi Leonid,
yes, installing the CA role with ipa-ca-install will fix the problem.

Please note that running this command will configure a Certificate Authority in IdM, and you will later be able to issue certificates signed by this IPA CA, *BUT* it won't replace your existing server certificates (httpd/LDAP/pkinit). The existing httpd/LDAP/pkinit certificates also won't be tracked by certmonger and you will still need to manually track their expiry and replace them when they expire.

Comment 13 Florence Blanc-Renaud 2020-07-14 16:58:13 UTC

Thank you taking your time and submitting this request for Red Hat Enterprise Linux 7. Unfortunately, this bug cannot be kept even as a stretch goal and was postponed to RHEL8.

Comment 14 Serhii Tsymbaliuk 2020-07-31 11:50:27 UTC

The issue was fixed in cert plugin:

https://pagure.io/freeipa/c/32c64a78cef499c05e4ffa71d033692571297dca

Since it is old fix it is already in older FreeIPA version branches. So no backport is needed in upstream.

Comment 27 anuja 2021-07-30 10:56:50 UTC

Verified using nightly:
(A) test-result.txt.gz
webui test_enabled_by_default from test_user.py::test_user

============================= test session starts ==============================

test_webui/test_user.py::test_user::test_enabled_by_default PASSED       [ 72%]

(B) runner.log 
2021-07-30T10:04:34+0000 ok: [master.testrelm.test] => (item=ipa-server) => 
2021-07-30T10:04:34+0000   msg:
2021-07-30T10:04:34+0000   - arch: x86_64
2021-07-30T10:04:34+0000     epoch: null
2021-07-30T10:04:34+0000     name: ipa-server
2021-07-30T10:04:34+0000     release: 4.module+el8.5.0+11912+1b4496cf
2021-07-30T10:04:34+0000     source: rpm
2021-07-30T10:04:34+0000     version: 4.9.6

Comment 30 errata-xmlrpc 2021-11-09 18:21:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4230

Note You need to log in before you can comment on or make changes to this bug.