When there is a communication issue between the IPA server and the PKI server, parts of the WebUI "User" page are not filled in. Reported in the freeipa-users mailing list, in this thread.
Install IPA with self-signed CA: ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 -U
ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 -U
Create a user with an employee number and employee type: kinit admin; ipa user-add testuser --first test --last user --employeenumber=123456 --employeetype=manager
kinit admin; ipa user-add testuser --first test --last user --employeenumber=123456 --employeetype=manager
systemctl stop pki-tomcatd@pki-tomcat
When there is a communication issue between the IPA server and the PKI server, the WebUI should either continue and fill the other fields, or display an error message in the WebUI.
Note that the command-line has no issue: ipa user-show testuser --all prints all the attributes.
ipa user-show testuser --all
# rpm -qa freeipa-server dogtag-pki-server dogtag-pki-server-11.0.2-1.fc35.noarch freeipa-server-4.9.8-1.fc35.x86_64
Looks like I'm experiencing a similar issue as far as user experience goes, but PKI services are fine.
We are losing visibility of some standard attributes like email and phone numbers when users view their profiles. The attributes are shown when viewing the active user list, but not when editing a user. Meaning we can't remove these values using the web-UI and it's quite confusing to our users.
Via CLI all attributes are returned.
Interestingly enough restarting pki-tomcatd resolved our issue of values not showing in the web-UI. I'm not aware of PKI issues and these servers have had a reboot, so I have no clue what's going on here.
sudo systemctl restart pki-tomcatd@pki-tomcat.service
Login to comment on this ticket.