1894800 – IPA WebUI inaccessible after upgrading to RHEL 8.3.- idoverride-memberof.js missing

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1894800 - IPA WebUI inaccessible after upgrading to RHEL 8.3.- idoverride-memberof.js missing

Summary: IPA WebUI inaccessible after upgrading to RHEL 8.3.- idoverride-memberof.js ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.3
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	8.0
Assignee:	Thomas Woerner
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1895910
TreeView+	depends on / blocked

Reported:	2020-11-05 05:45 UTC by Sunny Wu
Modified:	2024-10-01 17:02 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ipa-4.9.0-0.1.rc1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1895910 (view as bug list)
Environment:
Last Closed:	2021-05-18 15:48:22 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-10665	0	None	None	None	2023-12-15 20:03:46 UTC
Red Hat Knowledge Base (Solution)	5543951	0	None	None	None	2020-11-05 06:42:07 UTC

Description Sunny Wu 2020-11-05 05:45:28 UTC

Description of problem:
After upgrading to RHEL 8.3, WebUI on both IPA Server and IPA Replica are inaccessible. Login page shows blank page.

Upon inspection, Developers Tools of web browser (e.g. Firefox) shows below file is missing:
https://ipa.example.com/ipa/ui/js/plugins/idoverride-memberof/idoverride-memberof.js?40807

Web browser stopped to load after hitting the HTTP 404.

Timeline of http requests:
=========================================================================
fetch("https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/", {
  "headers": {
    "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
    "accept-language": "en-AU,en;q=0.9,zh-HK;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5,zh-TW;q=0.4",
    "sec-fetch-dest": "document",
    "sec-fetch-mode": "navigate",
    "sec-fetch-site": "none",
    "sec-fetch-user": "?1",
    "upgrade-insecure-requests": "1"
  },
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "include"
}); ;
fetch("https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/js/libs/loader.js", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-AU,en;q=0.9,zh-HK;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5,zh-TW;q=0.4",
    "sec-fetch-dest": "script",
    "sec-fetch-mode": "no-cors",
    "sec-fetch-site": "same-origin"
  },
  "referrer": "https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "include"
}); ;
fetch("https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/js/libs/json2.js?v=40807", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-AU,en;q=0.9,zh-HK;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5,zh-TW;q=0.4",
    "sec-fetch-dest": "script",
    "sec-fetch-mode": "no-cors",
    "sec-fetch-site": "same-origin"
  },
  "referrer": "https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "include"
}); ;
fetch("https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/css/patternfly.css?v=40807", {
  "headers": {
    "accept": "text/css,*/*;q=0.1",
    "accept-language": "en-AU,en;q=0.9,zh-HK;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5,zh-TW;q=0.4",
    "sec-fetch-dest": "style",
    "sec-fetch-mode": "no-cors",
    "sec-fetch-site": "same-origin"
  },
  "referrer": "https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "include"
}); ;
fetch("https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/css/bootstrap-datepicker3.min.css?v=40807", {
  "headers": {
    "accept": "text/css,*/*;q=0.1",
    "accept-language": "en-AU,en;q=0.9,zh-HK;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5,zh-TW;q=0.4",
    "sec-fetch-dest": "style",
    "sec-fetch-mode": "no-cors",
    "sec-fetch-site": "same-origin"
  },
  "referrer": "https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "include"
}); ;
fetch("https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/css/ipa.css?v=40807", {
  "headers": {
    "accept": "text/css,*/*;q=0.1",
    "accept-language": "en-AU,en;q=0.9,zh-HK;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5,zh-TW;q=0.4",
    "sec-fetch-dest": "style",
    "sec-fetch-mode": "no-cors",
    "sec-fetch-site": "same-origin"
  },
  "referrer": "https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "include"
}); ;
fetch("https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/ipa.css?v=40807", {
  "headers": {
    "accept": "text/css,*/*;q=0.1",
    "accept-language": "en-AU,en;q=0.9,zh-HK;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5,zh-TW;q=0.4",
    "sec-fetch-dest": "style",
    "sec-fetch-mode": "no-cors",
    "sec-fetch-site": "same-origin"
  },
  "referrer": "https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "include"
}); ;
fetch("https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/js/libs/jquery.js?v=40807", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-AU,en;q=0.9,zh-HK;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5,zh-TW;q=0.4",
    "sec-fetch-dest": "script",
    "sec-fetch-mode": "no-cors",
    "sec-fetch-site": "same-origin"
  },
  "referrer": "https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "include"
}); ;
fetch("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADwAAAA8CAYAAAFN++nkAAAABGdBTUEAALGPC/xhBQAAB/dJREFUaAXlG1lsVUX0vFfaQndkM0ApILKUiiAlQlhKSyBqAIMaFZBQ/UD5QAEhjRAjxog0QSQYg20UU4masCgRSYwIVEWFUCRAWYoIUimlUKDQsnR9nnPfm/dm7r0z99639AU4Sd/MnHPmLLOcWe7UBQieVeCh1AxcfmKBjqfQpfF30H6RGP/+bkFA43KsgExuHtu4PA/ojweBgQh6SQYGvQS5kSQObSAjP8a/BVQwA5enEMqxFYaaETv4CXwb1J0FKOqviQbQ+Z/VPQkOpvTxEX0ymdWaezmviA1DPERIjIvR2A0+E/bq0hyNqPWYxwx+W+Hxdkgwfnply38D7UA8fFvI62jNT2SvWZTzVdT3MpF40Jpr9DKAfSu5yjwH5lmbMrQgNCZOQwc0My5d2nX1r1Df2AIbZwyF5zN7CNRAP1B/I1QtGq+l6Wv3amntkgnw9TNZMOe7Y7C+rErDsZ/AuGQYHBOQ+RKAzzSGFtKKLQC15eDyfAjp0AJncfR5x4TApS50gGaoVLPIqWKD5a0BGLVIzr2+L8CNc356wGe7A2QXCi9bqwkQNDe1eiB51R6/ZH1G6/tJH/krB7oKOV/YelTPrywLmhnnFZxvSb4JSThhdDEmTAXNHN5WVlm54sotqVaSLlRmoe06jmWCQV0StJR+9BOFcELl4qlDCAdjNhzQUvp5MetBLV92od6PYxmhcteEWA1f09DE6FDydKaWH/tFQCAjBgbJs98DDJjG8OrUF9MCXbV1urdC1lyA1H7qyj5qQLMtdpHJOyVDmFmiOPsltxYH7POHjZNCvjH4xKcBLLwWHiWntwOwfuQkGvtJF4coOry58xScv9HIVZNnaXLMGNwd5gzzjmk/p26lNCrm4tiCHyug+KAY5P2CbGSEWbgjH6C8xF8rMKz9qEBG72X14gmQHG/sGVYj6QN53NRPFaViJpClcTEuiHWzSMOwwaWOFOtVUGQc9uk+PdpWWYhdtmrYYHK7XKZRlq+qVDykayLPC1tOXBLKFM6FAYTU2Bg33F6WK/CZFZSKV+Y9JNR59YcTQpkVeOXNrW3KhYnVMfYx7Rfm/8voBo/8BF2GV64jmRaNHtMmhSY77TciCHSUuIFhMzmCOkxFu10FkAIuqDOlRhCpRQM8J65D5fnt6Tk19TVUiMtR+4I7GkrJReOobifHjfOYKU7JAJhVihuwvgzjLD2AO/jdi6V1jOsxsTrZNkpF+whrO+P22DhpjE2dvdD+XtVKKdElWyhjU9Mhh4Mvj1TDtpOXcQzag94p8bBmykBx3abtlK7Zxaamo+p8DJk+GFG8H45fvsmKjtKGt3JF5bo9l9jUfXIF4cEqJSFLd/4tyNIXRMVJvfT0oMtV9epdqdjHqtsANIGaTwa3mluhO95f2AVRsUUt1UYvDnceTsAZtxPJFrxRU+yoqfVOyK4aiC8xVr7xJ3rEPH4vV9wokjIeIqL4nZz+kI4RTAUhNfXcR3tCyeELgny7u03RY0+bIMSqUDx1MIzsmSKwnam7LZRlBVFxk3g/48KjCA/Nbcal4o+Xs3kWGPLJn0JZVhAV1xwS+HbMHC6UJ238SyizAvUpD9tP1fJF07yo+L9SgWlSv87An5/2n78O1dxlFGNeNq4vy2rpc5uPCGWzgrgsEscSDO4WMdtMkCVOuSxS7dXqaWCpwCaD2NSsElnXGrjfY+hwpvJ5zDxPnwjQYwRAHB6vXOZ2WhtknA3GPraWEhaOYF0IWbkbD2tTQpYShAAtNOHBbTLW3RStc1QQdgddxa0djT3w0/3gLLUSDa38oJvrLqxIt+ShXffQYSu1P/5lAHR8AL+WdsJmxGgYdIjztSLtSNrwa1AL7iruXAW4fg7/zuAHu8qQmlkep2Vi6ew8sTAyy6ZMpxmeFrDSAv83QzMWM5z99SGcNxNmloSCk3xrMRNp7TDd+8w7Ff0eNbOex1GPFw8UvlHzZJa3HtIz90idPVF7C2Z9W44XJA1MXkTTofi+5Bt8dMB/4fUrpJ0p2YqPU1Sg3nmkTwRI62dav+RwNQwv2tduzpIRxy41aF97vjp60dQmzVayWQFqh2lTKYFtFZcllMijlboVNpNlaodpB323gYXN6jkcwlqqfwjipN1ut7RBWmGpkyoBXgub1T0cEHPP5O47h9VDOoL9WncHH8QdMY+2TW3OLrqcmBk1h2tuNsESfFASDIzS3eI5kRE1h50YyfNumJ4Jsx/RvaLhGSzyEXPY5JZTMCXGwbuVzG6JsO6JQTC+T5ogI5hC0EErraO6rc5aXBYP6NxJe1/x2TTvUzyZ8fOze8OheY+HxVnSoXZYcYf45IAuMhs1fJHNt1f0yOuX/JFSWevLzsNsfLAbLlA73CB/MEbPjccphtjnh6pg0/EaW3aO7pUKZ14fCwmSz0NbUI7sQt6WAo5J7XAlnj4UsGvOY5CTgV/dJUBPqTcfFx8/SVihV3I8VC8eDxmpeGNiAnsr6/DgsB9aPR4Tqn2U9XlY9z7RTPSF+iZ4u/QfaJFEqjG9U+G1kfa/Qhf8fBou4rJlBt3wSe7qyQ+bkby4ve8C/L5CSrd2mKrStY7udYJUYrQJFg6rhzQznh6q04MRukq5y0G9tvDO0esY9kaXrn2y3wAYOCP4Jz+87LDm1XOcnou14FWt+ut5WA2KrjAa0ieja0L7aqd3eU/h1wccr/cHuJib2j8LNcNSdD4Pcfg5ARLuxaH+P4cTLdyvTUY5AAAAAElFTkSuQmCC", {
  "referrer": "",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "omit"
}); ;
fetch("https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/js/libs/bootstrap.js?v=40807", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-AU,en;q=0.9,zh-HK;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5,zh-TW;q=0.4",
    "sec-fetch-dest": "script",
    "sec-fetch-mode": "no-cors",
    "sec-fetch-site": "same-origin"
  },
  "referrer": "https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "include"
}); ;
fetch("https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/js/libs/bootstrap-datepicker.js?v=40807", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-AU,en;q=0.9,zh-HK;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5,zh-TW;q=0.4",
    "sec-fetch-dest": "script",
    "sec-fetch-mode": "no-cors",
    "sec-fetch-site": "same-origin"
  },
  "referrer": "https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "include"
}); ;
fetch("https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/js/libs/patternfly.js?v=40807", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-AU,en;q=0.9,zh-HK;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5,zh-TW;q=0.4",
    "sec-fetch-dest": "script",
    "sec-fetch-mode": "no-cors",
    "sec-fetch-site": "same-origin"
  },
  "referrer": "https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "include"
}); ;
fetch("https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/js/libs/jquery.ordered-map.js?v=40807", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-AU,en;q=0.9,zh-HK;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5,zh-TW;q=0.4",
    "sec-fetch-dest": "script",
    "sec-fetch-mode": "no-cors",
    "sec-fetch-site": "same-origin"
  },
  "referrer": "https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "include"
}); ;
fetch("https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/js/libs/browser.js?v=40807", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-AU,en;q=0.9,zh-HK;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5,zh-TW;q=0.4",
    "sec-fetch-dest": "script",
    "sec-fetch-mode": "no-cors",
    "sec-fetch-site": "same-origin"
  },
  "referrer": "https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "include"
}); ;
fetch("https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/js/dojo/dojo.js?v=40807", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-AU,en;q=0.9,zh-HK;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5,zh-TW;q=0.4",
    "sec-fetch-dest": "script",
    "sec-fetch-mode": "no-cors",
    "sec-fetch-site": "same-origin"
  },
  "referrer": "https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "include"
}); ;
fetch("https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/js/libs/qrcode.js?v=40807", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-AU,en;q=0.9,zh-HK;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5,zh-TW;q=0.4",
    "sec-fetch-dest": "script",
    "sec-fetch-mode": "no-cors",
    "sec-fetch-site": "same-origin"
  },
  "referrer": "https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "include"
}); ;
fetch("https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/js/freeipa/app.js?40807", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-AU,en;q=0.9,zh-HK;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5,zh-TW;q=0.4",
    "sec-fetch-dest": "script",
    "sec-fetch-mode": "no-cors",
    "sec-fetch-site": "same-origin"
  },
  "referrer": "https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "include"
}); ;
fetch("https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/js/libs/d3.js?40807", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-AU,en;q=0.9,zh-HK;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5,zh-TW;q=0.4",
    "sec-fetch-dest": "script",
    "sec-fetch-mode": "no-cors",
    "sec-fetch-site": "same-origin"
  },
  "referrer": "https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "include"
}); ;
fetch("https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/i18n_messages", {
  "headers": {
    "accept": "application/json, text/javascript, */*; q=0.01",
    "accept-language": "en-AU,en;q=0.9,zh-HK;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5,zh-TW;q=0.4",
    "content-type": "application/json",
    "sec-fetch-dest": "empty",
    "sec-fetch-mode": "cors",
    "sec-fetch-site": "same-origin",
    "x-requested-with": "XMLHttpRequest"
  },
  "referrer": "https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": "{\"method\":\"i18n_messages\",\"params\":[[],{\"version\":\"2.239\"}]}",
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
}); ;
fetch("https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/js/freeipa/plugins.js?40807", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-AU,en;q=0.9,zh-HK;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5,zh-TW;q=0.4",
    "sec-fetch-dest": "script",
    "sec-fetch-mode": "no-cors",
    "sec-fetch-site": "same-origin"
  },
  "referrer": "https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "include"
}); ;
fetch("https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/js/plugins/idoverride-memberof/idoverride-memberof.js?40807", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-AU,en;q=0.9,zh-HK;q=0.8,zh;q=0.7,en-GB;q=0.6,en-US;q=0.5,zh-TW;q=0.4",
    "sec-fetch-dest": "script",
    "sec-fetch-mode": "no-cors",
    "sec-fetch-site": "same-origin"
  },
  "referrer": "https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "include"
});
=========================================================================


Version-Release number of selected component (if applicable):
rpm -qa | grep ipa | sort
ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64
ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch
ipa-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch
ipa-healthcheck-0.4-6.module+el8.3.0+7710+e2408ce4.noarch
ipa-healthcheck-core-0.4-6.module+el8.3.0+7710+e2408ce4.noarch
ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch
ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64
ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch
ipa-server-dns-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch
ipa-server-trust-ad-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64
libipa_hbac-2.3.0-9.el8.x86_64
python3-iniparse-0.4-31.el8.noarch
python3-ipaclient-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch
python3-ipalib-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch
python3-ipaserver-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch
python3-libipa_hbac-2.3.0-9.el8.x86_64
redhat-logos-ipa-81.1-1.el8.noarch
sssd-ipa-2.3.0-9.el8.x86_64


ipa-idoverride-memberof-plugin-0.0.4-6.module+el8+2555+b334d87b.x86_64 <= prior to upgrade (RHEL 8.2)

# cat dnf.rpm.log  | grep ipa-idoverride
2020-11-05T04:41:20Z SUBDEBUG Obsoleted: ipa-idoverride-memberof-plugin-0.0.4-6.module+el8+2555+b334d87b.x86_64


How reproducible:
1. Reproducible when more than one IPA server (IPA Master + Replica) are in IPA domain: 
  - RHEL 8.2 IPA Master + ipa-idoverride-memberof-plugin-0.0.4-6 & RHEL 8.2 IPA Replica + ipa-idoverride-memberof-plugin-0.0.4-6
  - Upgrade IPA Replica to RHEL 8.3 via yum upgrade. 
    - WebUI became inaccessible after yum upgrade.
    - WebUI at IPA Master (not upgraded yet) was still accessible
  - Upgrade IPA Master to RHEL 8.3 via yum upgrade.
    - WebUI on both became inaccessible

2. Not reproducible when only one IPA server is in IPA domain:
  - RHEL 8.2 IPA Master + ipa-idoverride-memberof-plugin-0.0.4-6
  - No any IPA Replica
  - Upgrade IPA Master to RHEL 8.3 via yum upgrade
    - WebUI still accessible

3. Workaround
  - A workaround is to re-create ("touch") an empty file:
  - /usr/share/ipa/ui/js/plugins/idoverride-memberof/idoverride-memberof.js

Steps to Reproduce:
1. Freshly install RHEL 8.2 on two hosts.
2. Install IPA packages via yum:
    yum module enable idm:DL1
    yum module install idm:DL1/{server,dns}
    yum install ipa-idoverride-memberof-plugin
3. Install IPA Server ipa-server-install
4. Install IPA Replica ipa-replica-install
5. Upgrade IPA Replica to RHEL 8.3 via yum
6. Upgrade IPA Master to RHEL 8.3 via yum

Actual results:
WebUI is inaccessible. Login page is blank.

Expected results:
WebUI is accessible with login page correctly rendered.

Additional info:
ipa-idoverride-memberof-plugin has been replaced by ipa-server-trust-ad. See:
https://bugzilla.redhat.com/show_bug.cgi?id=1846434

Comment 1 Alexander Bokovoy 2020-11-05 19:41:27 UTC

Please force-refresh Web UI in your browser. May be even clean the cookies. It looks like the browser caches the Web UI pages aggressively.

The idoverride-memberof.js is not needed anymore and is not referenced anywhere in the Web UI.

Functionality provided by this plugin was merged into RHEL IdM itself.

Comment 2 Alexander Bokovoy 2020-11-05 19:47:18 UTC

Note that the workaround

---------------------------
3. Workaround
  - A workaround is to re-create ("touch") an empty file:
  - /usr/share/ipa/ui/js/plugins/idoverride-memberof/idoverride-memberof.js
---------------------------

is simply wrong.

There is nothing in IPA itself that requires this plugin code. What is happening, I think, is a caching of a Javascript data on the browser side.

Comment 3 Sunny Wu 2020-11-05 20:16:19 UTC

ipa-idoverride-memberof-plugin has been removed, but it is not cleaned up properly.


# rpm -qa | grep -E "(ipa-idoverride-memberof|ipa-server-trust-ad)"
ipa-server-trust-ad-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64

# curl -v https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/js/freeipa/plugins.js?40807
*   Trying 10.74.179.178...
* TCP_NODELAY set
* Connected to node-0.suwuipa1.lab.pnq2.cee.redhat.com (10.74.179.178) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: O=SUWUIPA1.LAB.PNQ2.CEE.REDHAT.COM; CN=node-0.suwuipa1.lab.pnq2.cee.redhat.com
*  start date: Nov  5 03:39:55 2020 GMT
*  expire date: Nov  6 02:39:55 2022 GMT
*  subjectAltName: host "node-0.suwuipa1.lab.pnq2.cee.redhat.com" matched cert's "node-0.suwuipa1.lab.pnq2.cee.redhat.com"
*  issuer: O=SUWUIPA1.LAB.PNQ2.CEE.REDHAT.COM; CN=Certificate Authority
*  SSL certificate verify ok.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET /ipa/ui/js/freeipa/plugins.js?40807 HTTP/1.1
> Host: node-0.suwuipa1.lab.pnq2.cee.redhat.com
> User-Agent: curl/7.61.1
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 200 OK
< Date: Thu, 05 Nov 2020 20:15:19 GMT
< Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1g mod_auth_gssapi/1.6.1 mod_wsgi/4.6.4 Python/3.6
< X-Frame-Options: DENY
< Content-Security-Policy: frame-ancestors 'none'
< Cache-Control: no-cache, private
< Content-Length: 54
< Vary: Accept-Encoding
< Content-Type: application/javascript
< 
* Connection #0 to host node-0.suwuipa1.lab.pnq2.cee.redhat.com left intact
define([],function(){return['idoverride-memberof'];});

Comment 4 Sunny Wu 2020-11-05 20:22:43 UTC


(In reply to Alexander Bokovoy from comment #2)
> Note that the workaround
> 
> ---------------------------
> 3. Workaround
>   - A workaround is to re-create ("touch") an empty file:
>   - /usr/share/ipa/ui/js/plugins/idoverride-memberof/idoverride-memberof.js
> ---------------------------
> 
> is simply wrong.
> 
> There is nothing in IPA itself that requires this plugin code. What is
> happening, I think, is a caching of a Javascript data on the browser side.

- There is no cache on curl
- The workaround tricks browser to load a file. IPA does not need the code, but somehow browsers need to load the file to continue rendering login page.

Comment 5 Alexander Bokovoy 2020-11-06 07:04:18 UTC

plugins.js is not a static file. It is a runtime generated by /usr/share/ipa/wsgi/plugins.py. It looks at the directories in /usr/share/ipa/ui/js/plugins/ and generates the list of 'file' references:

def get_plugin_index():

    if not os.path.isdir(paths.IPA_JS_PLUGINS_DIR):
        raise Exception("Supplied plugin directory path is not a directory")

    dirs = os.listdir(paths.IPA_JS_PLUGINS_DIR)
    index = 'define([],function(){return['
    index += ','.join("'"+x+"'" for x in dirs)
    index += '];});'
    return index.encode('utf-8')

Later, Web UI will take this list and load for each plugin foo a file foo/foo.js.

So it looks like /usr/share/ipa/ui/js/plugins/idoverride-memberof directory is left and not removed when the package is removed?

I think the issue is due to the way how plugin content is referenced in ipa-idoverride-memberof spec file:

%files plugin
%license COPYING
%doc plugin/Feature.mediawiki README.md
# There is no client-side component yet
#%%python2_sitelib/ipaclient/plugins/*
%{ipa_python_sitelib}/ipaserver/plugins/*
%_datadir/ipa/schema.d/*
%_datadir/ipa/updates/*
%_datadir/ipa/ui/js/plugins/%{plugin_name}/*

E.g. the directory %_datadir/ipa/ui/js/plugins/%{plugin_name} is not marked as belonging to the package. Upon removal it then is left intact but the content of the folder cleaned up.

Now, I think the right solution would be to change plugins.py to actually verify that a foo/foo.js exists before adding it to the list of plugins.

As a workaround, please remove /usr/share/ipa/ui/js/plugins/ipa-idoverride-memberof directory instead of 'touching' a file in it.

Comment 7 Florence Blanc-Renaud 2020-11-06 13:31:03 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/8567

Comment 8 Alexander Bokovoy 2020-11-06 14:15:46 UTC

PR: https://github.com/freeipa/freeipa/pull/5230

Comment 9 Rob Crittenden 2020-11-06 21:39:57 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/91706690e0c894864c93716c4fbecb285722e77d

Comment 12 Rob Crittenden 2020-11-10 16:09:10 UTC

Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/29262465edf034d521c165e3854e28835d86b98d

Comment 13 Rob Crittenden 2020-11-10 16:10:00 UTC

Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/45802f19789d560634046dc6fb48f3bbc13fafb9

Comment 19 Kaleem 2020-12-17 15:42:13 UTC

Verified based on following info

Snip from runner.log for IPA Version:
------------------------------------
2020-12-17T14:33:33+0000 TASK [List installed IPA packages version] *************************************
2020-12-17T14:33:34+0000 ok: [master.testrelm.test] => (item=ipa-server) => 
2020-12-17T14:33:34+0000   msg:
2020-12-17T14:33:34+0000   - arch: x86_64
2020-12-17T14:33:34+0000     epoch: null
2020-12-17T14:33:34+0000     name: ipa-server
2020-12-17T14:33:34+0000     release: 0.5.rc3.module+el8.4.0+9124+ced20601
2020-12-17T14:33:34+0000     source: rpm
2020-12-17T14:33:34+0000     version: 4.9.0

Snip from test-result.xt:
-------------------------
Test "'test_jsplugins' (ipatests/test_ipaserver/test_jsplugins.py)" for this bugzilla is successful as per following details from the test run.

============================= test session starts ==============================
platform linux -- Python 3.6.8, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/libexec/platform-python
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-262.el8.x86_64-x86_64-with-redhat-8.4-Ootpa', 'Packages': {'pytest': '3.10.1', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.11.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}}
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: metadata-1.11.0, html-1.22.1, multihost-3.0, sourceorder-0.5
collecting ... collected 159 items

test_ipaserver/test_adtrust_mockup.py::TestNetbiosName::test_NetbiosName PASSED [  0%]
test_ipaserver/test_changepw.py::test_changepw::test_bad_options PASSED  [  1%]
...
test_ipaserver/test_jsplugins.py::test_jsplugins::test_jsplugins PASSED  [ 16%]
...
test_ipaserver/test_install/test_service.py::test_format_seconds PASSED  [100%]

---------------- generated xml file: /home/cloud-user/junit.xml ----------------
----------- generated html file: file:///home/cloud-user/report.html -----------
============== 155 passed, 4 skipped, 6 warnings in 20.15 seconds ==============

Comment 23 errata-xmlrpc 2021-05-18 15:48:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846

Note You need to log in before you can comment on or make changes to this bug.