Dear all, first, thanks for developing this pretty usable tool! We have a freeipa install running at our institute and it helped us a lot in terms of rights and user-management. We use a CA-less install on a CentOS 7 server with replication. After the update from version 4.6.5 to 4.6.6 (~end of April), we recently discovered that the user identity settings page in the web-ui does not show some of the fields. The CLI has no problem at all.
We first though its due to some plugins we wrote to support some individual ldap attributes. But even without the plugins, the problem persists. When we checked the json response that comes from the server, the last element is an error 4001 reporting "CA is not configured". We discovered that this is thrown by the function "ca_enabled_check" in ipaserver/plugins/cert.py
Comparing the two versions https://github.com/freeipa/freeipa/compare/release-4-6-5...release-4-6-6 we observed that there are only a few changes in this file and added a few debug statements. The stack is (<frame object at 0x7f6d81d5bcc8>, '/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py', 284, 'ca_enabled_check', ['\tlogger.error(inspect.stack())\n'], 0), (<frame object at 0x7f6da037edf0>, '/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py', 1673, '_ca_search', [' ca_enabled_check(self.api)\n'], 0), (<frame object at 0x7f6da036a960>, '/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py', 1840, 'execute', [' **options)\n'], 0),
From what I understood so far, this is what happens: The function "execute" in class cert_find first checks if ca is enabled. So in our case it knows ca_enabled=False Then around line 1837, the for loop calls self._ca_search in the second loop. In our case, the field "options" is {'exactly': False, 'version': u'2.231', 'user': (u'userABCD',)}
In _ca_search we have a for loop that iterates over a set of cert-related keys, which are not present in this case, so the dictionary ra_options is empty. Arround line 1659, we check "if not ra_options:" and the only field that is present in our case is users. This was part of the update to version 4.6.6 where elif len(users) == 1 and not services and not hosts: ra_options['subject'] = users[0] was added. In our case, we end up with ra_options['subject'] = "userABCD"
In the following try, we call the "ca_enabled_check" which raises the NotFound exception, since we are CA-less. Since our ra_options dict is not empty anymore, we raise this exception to the next upper level. That's the difference to the version 4.6.5, where this was still empty and the function simply returned.
I commented the lines "elif len(users)==1..." in _ca_search and the web-ui worked again.
So from my understanding, it seems not necessary to call _ca_search when we know we are CA-less?!? Nevertheless, all I know about that is from debugging half a day, so maybe I'm completely wrong and the root bug is elsewhere in our setup.
As far as I see, the situation is the same for the current master branch
I'm not sure why this does not happen in the CLI, but maybe it't the term "NO_CLI = True" in ca_is_enabled()?
So, anyway, thank you very much in advance and have a nice weekend!
I didn't really checked it from scratch, but if its that simple it would be 1. Install a CA-less freeipa 2. Check if all fields are visible in the user details in web-ui
see above
Do not check search in CA if there is no CA?
package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.6.6-11.el7.centos.x86_64 ipa-client-4.6.6-11.el7.centos.x86_64 389-ds-base-1.3.10.1-9.el7_8.x86_64 pki-ca-10.5.17-6.el7.noarch krb5-server-1.15.1-46.el7.x86_64
@gemlau thanks for the report.
@ftweedal, @frenaud, could you please look in detail at this next week?
What fields specifically are not visible? Can you provide a screenshot of what you're seeing and what you're expecting? Can you show the cli output as well?
Do the users in question have certificates associated with their entries?
Hi, i will try to explain what happens. Sorry in advance, this will be a long post.
The first thing we observed was the JS console error
TypeError: t is undefined app.js:11612 load app.js:11612 load app.js:11555 load app.js:15628 refresh_on_success app.js:15771 on_success app.js:15785 register_handlers app.js:2901 Dojo 4 batch_command_on_success app.js:3000 register_handlers app.js:2901 Dojo 4 c app.js:2823 jQuery 4
The Json request was
{ "method":"batch", "params":[[ {"method":"user_show","params":[["user"],{"all":true,"rights":true}]}, {"method":"pwpolicy_show","params":[[],{"user":"user","all":true,"rights":true}]}, {"method":"krbtpolicy_show","params":[["user"],{"all":true,"rights":true}]}, {"method":"cert_find","params":[[],{"user":["user"],"sizelimit":0,"all":true}]}], {"version":"2.231"}] }
We got the following response (I simplified it a bit)
{"result": {"count":4, "results":[ {"summary":null,"result": {"telephonenumber":["12345"], "sshpubkeyfp":["SHA256:123123123123123 user@PC (ssh-ed25519)"], "has_keytab":true, "ipasshpubkey":["ssh-ed25519 123123123123123 user@PC"], "cn":["My Name"], "krbcanonicalname":["user@DOMAIN"], "externalmail":["user@dummy.com"], "sambasid":["12345"], "memberof_group":["a","b","c"], "has_password":true, "mailsenderwhitelist":["abc@dummy.com"], "homedirectory":["/user/user"], "employeetype":["Wimi"], "sambalogofftime":["12345"], "nsaccountlock":false,"uid":["user"], "shadowmin":["2"], "attributelevelrights":{"ipasshpubkey":"rscwo","homepostaladdress":"rscwo","photo":"rscwo","x121address":"rscwo","manager":"rscwo","mailtarget":"rscwo","physicaldeliveryofficename":"rscwo","sambalogofftime":"rscwo","cn":"rscwo","sambasid":"rscwo","title":"rscwo","sambamungeddial":"rscwo","usercertificate":"rscwo","sambabadpasswordcount":"rscwo","mail":"rscwo","sambalogonscript":"rscwo","krbprincipalkey":"swo","employeetype":"rscwo","krbmaxticketlife":"rscwo","sambalmpassword":"wo","postalcode":"rscwo","krbprincipalauthind":"rscwo","seealso":"rscwo","krblastadminunlock":"rscwo","krbpasswordexpiration":"rscwo","l":"rscwo","secretary":"rscwo","postofficebox":"rscwo","registeredaddress":"rscwo","shadowinactive":"rscwo","userpassword":"swo","krbupenabled":"rscwo","krbticketflags":"rscwo","street":"rscwo","krbprincipalexpiration":"rscwo","krbmaxrenewableage":"rscwo","facsimiletelephonenumber":"rscwo","loginshell":"rscwo","jpegphoto":"rscwo","sambaprimarygroupsid":"rscwo","krblastsuccessfulauth":"rsc","userpkcs12":"rscwo","shadowexpire":"rscwo","roomnumber":"rscwo","carlicense":"rscwo","host":"rscwo","ipauniqueid":"rsc","krbpwdpolicyreference":"rscwo","postaladdress":"rscwo","givenname":"rscwo","krblastfailedauth":"rsc","usersmimecertificate":"rscwo","aci":"rscwo","sambahomedrive":"rscwo","o":"rscwo","employeenumber":"rscwo","ou":"rscwo","sambapwdcanchange":"rscwo","initials":"rscwo","telephonenumber":"rscwo","krbextradata":"rsc","shadowwarning":"rscwo","externalmail":"rscwo","sn":"rscwo","mailsenderwhitelist":"rscwo","krbprincipalname":"rscwo","nsaccountlock":"rscwo","pager":"rscwo","dayofbirth":"rscwo","uidnumber":"rscwo","preferreddeliverymethod":"rscwo","internationalisdnnumber":"rscwo","shadowflag":"rscwo","businesscategory":"rscwo","sambadomainname":"rscwo","telexnumber":"rscwo","sambauserworkstations":"rscwo","destinationindicator":"rscwo","krbticketpolicyreference":"rscwo","inetuserhttpurl":"rscwo","krbpwdhistory":"","krbprincipalaliases":"rscwo","inetuserstatus":"rscwo","objectclass":"rscwo","gecos":"rscwo","uid":"rscwo","krbcanonicalname":"rscwo","labeleduri":"rscwo","sambaprofilepath":"rscwo","sambapwdmustchange":"rscwo","homedirectory":"rscwo","sambakickofftime":"rscwo","displayname":"rscwo","shadowmin":"rscwo","sambahomepath":"rscwo","teletexterminalidentifier":"rscwo","shadowmax":"rscwo","preferredlanguage":"rscwo","sambalogontime":"rscwo","krbprincipaltype":"rscwo","sambapwdlastset":"rscwo","sambabadpasswordtime":"rscwo","x500uniqueidentifier":"rscwo","description":"rscwo","memberof":"rsc","sambaacctflags":"rscwo","sambapasswordhistory":"rscwo","sambalogonhours":"rscwo","shadowlastchange":"rscwo","departmentnumber":"rscwo","authorizedservice":"rscwo","mobile":"rscwo","sambantpassword":"wo","st":"rscwo","gidnumber":"rscwo","homephone":"rscwo","krbloginfailedcount":"rscwo","krballowedtodelegateto":"rscwo","audio":"rscwo","krblastpwdchange":"rsc"}, "facsimiletelephonenumber":["12345"], "memberofindirect_group":["admins"], "dayofbirth":["1990-01-01"], "uidnumber":["1010"], "shadowmax":["365"], "shadowwarning":["30"], "preserved":false, "sambalogontime":["0"], "shadowinactive":["90"], "krbextradata":[{"__base64__":"asdfadsfasdfasdf="}], "mail":["a@dummy.com","user@dummy.com","abc@dummy.com","asdf@dummy.com"], "sambapwdlastset":["12345"], "shadowexpire":["12345"], "memberofindirect_hbacrule":["..."], "dn":"uid=user,cn=users,cn=accounts,dc=domain,dc=suffix", "displayname":["My Name"], "description":["test"], "roomnumber":["1200"], "sambaacctflags":["[U]"], "sambapasswordhistory":["0000000000000000000000000000000000000000000000000000000000000000"], "memberofindirect_sudorule":["allow_web","allow_ntadmins"], "ipauniqueid":["12345"], "memberof_sudorule":["allow_networkTesting"], "krbloginfailedcount":["0"], "krbprincipalname":["user@DOMAIN"], "givenname":["Hey Ho"], "shadowlastchange":["12345"], "sambaprimarygroupsid":["S-12345"], "krbpasswordexpiration":[{"__datetime__":"12345"}], "krblastfailedauth":[{"__datetime__":"12345"}], "objectclass":["krbticketpolicyaux","ipaobject","organizationalperson","hostobject","top","ipasshuser","inetorgperson","sambasamaccount","ipaperson","person","inetuser","krbprincipalaux","authorizedserviceobject","shadowaccount","posixaccount","ipaSshGroupOfPubKeys","ipaMail"], "sambahomedrive":["Z:"], "sambapwdmustchange":["12345"], "gidnumber":["100"], "gecos":["My Name"], "sn":["Name"], "loginshell":["/bin/bash"], "mailtarget":["user"], "memberofindirect_role":["ABCD"], "krblastpwdchange":[{"__datetime__":"12345"}], "sambapwdcanchange":["0"]}, "value":"user","error":null }, {"summary":null, "result": {"dn":"cn=global_policy,cn=DOMAIN,cn=kerberos,dc=DOMAIN,dc=suffix", "krbminpwdlife":["0"], "krbpwdminlength":["8"], "objectclass":["top","nsContainer","krbPwdPolicy"], "krbpwdmindiffchars":["3"], "krbpwdhistorylength":["2"], "krbpwdlockoutduration":["0"], "krbpwdmaxfailure":["10000"], "krbmaxpwdlife":["720"], "attributelevelrights":{"krbmaxpwdlife":"rscwo","cn":"rscwo","krbminpwdlife":"rscwo","krbpwdminlength":"rscwo","objectclass":"rscwo","krbpwdmaxrenewablelife":"rscwo","aci":"rscwo","krbpwdattributes":"rscwo","krbpwdlockoutduration":"rscwo","krbpwdmaxlife":"rscwo","krbpwdmaxfailure":"rscwo","krbpwdfailurecountinterval":"rscwo","krbpwdallowedkeysalts":"rscwo","krbpwdmindiffchars":"rscwo","nsaccountlock":"rscwo","krbpwdhistorylength":"rscwo"}, "krbpwdfailurecountinterval":["0"], "cn":["global_policy"]},"value":null,"error":null}, {"summary":null,"result": {"telephonenumber":["12345"], "krbextradata":[{"__base64__":"12345="}], "ipasshpubkey":[{"__base64__":"12345"}], "cn":["My name"], "krbcanonicalname":["user@DOMAIN"], "uidnumber":["1010"], "sambapwdmustchange":["12345"], "mailtarget":["user"], "mailsenderwhitelist":["Test@dummy.com"], "homedirectory":["/user/user"], "uid":["user"], "employeetype":["Wimi"], "sambalogofftime":["12345"], "krbmaxrenewableage":["12345"], "shadowwarning":["30"], "shadowmin":["2"], "attributelevelrights":{"ipasshpubkey":"rscwo","homepostaladdress":"rscwo","photo":"rscwo","x121address":"rscwo","manager":"rscwo","mailtarget":"rscwo","physicaldeliveryofficename":"rscwo","sambalogofftime":"rscwo","cn":"rscwo","sambasid":"rscwo","title":"rscwo","sambamungeddial":"rscwo","usercertificate":"rscwo","sambabadpasswordcount":"rscwo","mail":"rscwo","sambalogonscript":"rscwo","krbprincipalkey":"swo","employeetype":"rscwo","krbmaxticketlife":"rscwo","sambalmpassword":"wo","postalcode":"rscwo","krbprincipalauthind":"rscwo","seealso":"rscwo","krblastadminunlock":"rscwo","krbpasswordexpiration":"rscwo","l":"rscwo","secretary":"rscwo","postofficebox":"rscwo","registeredaddress":"rscwo","shadowinactive":"rscwo","userpassword":"swo","krbupenabled":"rscwo","krbticketflags":"rscwo","street":"rscwo","krbprincipalexpiration":"rscwo","krbmaxrenewableage":"rscwo","facsimiletelephonenumber":"rscwo","loginshell":"rscwo","jpegphoto":"rscwo","sambaprimarygroupsid":"rscwo","krblastsuccessfulauth":"rsc","userpkcs12":"rscwo","shadowexpire":"rscwo","roomnumber":"rscwo","carlicense":"rscwo","host":"rscwo","ipauniqueid":"rsc","krbpwdpolicyreference":"rscwo","postaladdress":"rscwo","givenname":"rscwo","krblastfailedauth":"rsc","usersmimecertificate":"rscwo","aci":"rscwo","sambahomedrive":"rscwo","o":"rscwo","employeenumber":"rscwo","ou":"rscwo","sambapwdcanchange":"rscwo","initials":"rscwo","telephonenumber":"rscwo","krbextradata":"rsc","shadowwarning":"rscwo","externalmail":"rscwo","sn":"rscwo","mailsenderwhitelist":"rscwo","krbprincipalname":"rscwo","nsaccountlock":"rscwo","pager":"rscwo","dayofbirth":"rscwo","uidnumber":"rscwo","preferreddeliverymethod":"rscwo","internationalisdnnumber":"rscwo","shadowflag":"rscwo","businesscategory":"rscwo","sambadomainname":"rscwo","telexnumber":"rscwo","sambauserworkstations":"rscwo","destinationindicator":"rscwo","krbticketpolicyreference":"rscwo","inetuserhttpurl":"rscwo","krbpwdhistory":"","krbprincipalaliases":"rscwo","inetuserstatus":"rscwo","objectclass":"rscwo","gecos":"rscwo","uid":"rscwo","krbcanonicalname":"rscwo","labeleduri":"rscwo","sambaprofilepath":"rscwo","sambapwdmustchange":"rscwo","homedirectory":"rscwo","sambakickofftime":"rscwo","displayname":"rscwo","shadowmin":"rscwo","sambahomepath":"rscwo","teletexterminalidentifier":"rscwo","shadowmax":"rscwo","preferredlanguage":"rscwo","sambalogontime":"rscwo","krbprincipaltype":"rscwo","sambapwdlastset":"rscwo","sambabadpasswordtime":"rscwo","x500uniqueidentifier":"rscwo","description":"rscwo","memberof":"rsc","sambaacctflags":"rscwo","sambapasswordhistory":"rscwo","sambalogonhours":"rscwo","shadowlastchange":"rscwo","departmentnumber":"rscwo","authorizedservice":"rscwo","mobile":"rscwo","sambantpassword":"wo","st":"rscwo","gidnumber":"rscwo","homephone":"rscwo","krbloginfailedcount":"rscwo","krballowedtodelegateto":"rscwo","audio":"rscwo","krblastpwdchange":"rsc"}, "facsimiletelephonenumber":["12345"], "loginshell":["/bin/bash"], "dayofbirth":["1990-01-01"], "externalmail":["user@dummy.com"], "shadowmax":["365"], "sambalogontime":["0"], "shadowinactive":["90"], "mail":["a@dummy.com","user@dummy.com","abc@dummy.com","asdf@dummy.com","owner-asdf@dummy.com","owner-asdfasdf@dummy.com"], "sambapwdlastset":["12345"], "shadowexpire":["12345"], "dn":"uid=user,cn=users,cn=accounts,dc=DOMAIN,dc=suffix", "displayname":["My name"], "description":["xasd"], "memberof":["...long list of groups ..."], "roomnumber":["1200"], "sambaacctflags":["[U]"], "sambapasswordhistory":["0000000000000000000000000000000000000000000000000000000000000000"], "krbmaxticketlife":["12345"], "krbprincipalname":["user@DOMAIN"], "givenname":["Hey Ho"], "shadowlastchange":["12345"], "sambaprimarygroupsid":["S-12345"], "krbpasswordexpiration":[{"__datetime__":"12345"}], "krblastfailedauth":[{"__datetime__":"12345"}], "objectclass":["krbticketpolicyaux","ipaobject","organizationalperson","hostobject","top","ipasshuser","inetorgperson","sambasamaccount","idaperson","person","inetuser","krbprincipalaux","authorizedserviceobject","shadowaccount","posixaccount","ipaSshGroupOfPubKeys","idaMail"], "sambahomedrive":["Z:"], "sambasid":["S-12345"], "gidnumber":["100"], "gecos":["My Name"], "sn":["Name"], "krbloginfailedcount":["0"], "krblastpwdchange":[{"__datetime__":"12345"}], "sambapwdcanchange":["0"], "ipauniqueid":["12345"]}, "value":"user", "error":null }, { "error_name":"NotFound", "error":"CA is not configured", "error_code":4001, "error_kw":{"reason":"CA is not configured"}}] }, "version":"4.6.6", "error":null, "id":null, "principal":"user@DOMAIN" }
When we started to debug the JS script, we observed that there are two arrays, namely
i.fields.fields.keys i.fields.fields.values
The exception occurs when he tries to process element 18 in the list, the usercertificate. Since the element is undefined, i think some function like length() thows the exception. Everything after index 18 is not displayed anymore
i.fields.fields.keys = 0: "title" 1: "givenname" 2: "sn" 3: "cn" 4: "displayname" 5: "initials" 6: "gecos" 7: "userclass" 8: "uid" 9: "has_password" 10: "krbpasswordexpiration" 11: "uidnumber" 12: "gidnumber" 13: "krbprincipalname" 14: "krbprincipalexpiration" 15: "loginshell" 16: "homedirectory" 17: "ipasshpubkey" 18: undefined 19: "ipacertmapdata" 20: "ipauserauthtype" 21: "ipatokenradiusconfiglink" 22: "ipatokenradiususername" 23: "krbmaxpwdlife" 24: "krbminpwdlife" 25: "krbpwdhistorylength" 26: "krbpwdmindiffchars" 27: "krbpwdminlength" 28: "krbpwdmaxfailure" 29: "krbpwdfailurecountinterval" 30: "krbpwdlockoutduration" 31: "krbmaxrenewableage" 32: "krbmaxticketlife" 33: "mail" 34: "telephonenumber" 35: "pager" 36: "mobile" 37: "facsimiletelephonenumber" 38: "street" 39: "l" 40: "st" 41: "postalcode" 42: "ou" 43: "manager" 44: "departmentnumber" 45: "employeenumber" 46: "employeetype" 47: "preferredlanguage" 48: "carlicense" length: 49 i.fields.fields.values[18]: acl_param: "usercertificate" label: "Certificates"
I can do the same thing on the command line, which works:
# ipa user-show user --raw --all dn: uid=user,cn=users,cn=accounts,dc=DOMAIN,dc=suffix uid: user givenname: Hey Ho sn: Name cn: My Name homedirectory: /user/user gecos: My Name loginshell: /bin/bash krbcanonicalname: user@DOMAIN krbprincipalname: user@DOMAIN mail: name@dummy.com ... uidnumber: 1010 gidnumber: 100 telephonenumber: 12345 sshpubkeyfp: SHA256:12345 (ssh-ed25519) nsaccountlock: FALSE has_password: TRUE has_keytab: TRUE dayOfBirth: 1990-01-01 description: test displayName: My name employeeType: Wimi externalMail: name@dummy.com facsimileTelephoneNumber: 12345 ipaSshPubKey: 12345 ipaUniqueID: 12345 krbExtraData: 12345= krbLastFailedAuth: 12345 krbLastPwdChange: 12345 krbLoginFailedCount: 0 krbPasswordExpiration: 12345 mailSenderWhitelist: Test@dummy.com mailTarget: user memberof: cn=group,cn=groups,cn=accounts,dc=DOMAIN,dc=suffix .... memberofindirect: cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=DOMAIN,dc=suffix ... objectClass: krbticketpolicyaux ... roomNumber: 1200 sambaAcctFlags: [U] sambaHomeDrive: Z: sambaLogoffTime: 12345 sambaLogonTime: 0 sambaPasswordHistory: 12345 sambaPrimaryGroupSID: S-12345 sambaPwdCanChange: 0 sambaPwdLastSet: 12345 sambaPwdMustChange: 12345 sambaSID: S-12345 shadowExpire: 12345 shadowInactive: 90 shadowLastChange: 12345 shadowMax: 365 shadowMin: 2 shadowWarning: 30
So, maybe this is helpfull to identify the root of the problem
Best, Kai
Hi @gemlau,
You seem willing to modify your installation in-place, so could you please apply the following patch and let me know the results?
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index b5008aed2..62c4d7958 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -1839,9 +1839,12 @@ class cert_find(Search, CertMethod): truncated = False complete = False - for sub_search in (self._cert_search, - self._ca_search, - self._ldap_search): + if ca_enabled: + searches = [self._cert_search, self._ca_search, self._ldap_search] + else + searches = [self._cert_search, self._ldap_search] + + for sub_search in searches: sub_result, sub_truncated, sub_complete = sub_search( all=all, raw=raw,
Hi @ftweedal ,
thanks for the patch! yes, that works, except that for the else-statement, a ":" is missing.
I updated our setup accordingly and from our side I don't see any drawbacks in this patch.
Thanks for confirming @gemlau. Pull request: https://github.com/freeipa/freeipa/pull/4821
Metadata Update from @ftweedal: - Issue assigned to ftweedal
Metadata Update from @ftweedal: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4821
master:
ipa-4-6:
ipa-4-8:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1884819
Issue linked to Bugzilla: Bug 1884819
Login to comment on this ticket.