[Freeipa-users] Backend & UI plugin update for 4.4.x
Steve Huston
huston at astro.princeton.edu
Thu Jan 26 16:53:06 UTC 2017
Just did it again with the same result. Reinstalled the machine, then
did a 'yum install ipa-server python2-ipaserver httpd' which pulled in
version 4.4.0-14.el7_3.4 and a bunch of other packages. Next was the
ipa-server-install as I used before, only without --mkhomedir this
time. After entering the passwords for directory administrator and
the admin user, I then logged in to the web interface, immediately
clicked "add" and added a user 'foobar'. When I clicked "add and
edit" and was brought to the user information page, it looks like this
at the bottom:
https://www.dropbox.com/s/e67j8rdaq9wvkni/Screenshot%202017-01-26%2011.33.03.png?dl=0
I then entered an employee number of '0001' just to give something to
save, and clicked save. The screen now shows this (I've clicked the
drop-down on the manager field so the choices are visible):
https://www.dropbox.com/s/oxmqwf2rsz15grd/Screenshot%202017-01-26%2011.33.58.png?dl=0
Holding shift and clicking reload, the page now looks like this (the
employee number field is also blank again):
https://www.dropbox.com/s/f8ptycnetvsxjnb/Screenshot%202017-01-26%2011.35.03.png?dl=0
Since we do run a repackaged distribution here (Springdale Linux), I
just unpacked ipa-server-common from our repository with the above
version, and http://mirror.centos.org/centos/7/updates/x86_64/Packages/ipa-server-common-4.4.0-14.el7.centos.4.noarch.rpm,
and 'diff' found zero differences between them. Unlikely, but I
wanted to rule out a packaging error causing the problem.
On Wed, Jan 25, 2017 at 4:12 PM, Steve Huston
<huston at astro.princeton.edu> wrote:
> No, that should be all of the major changes; the puppet module that
> installs things only puts the two plugin files in their respective
> places. The client part of the IPA module makes changes to have the
> machine join the domain and whatnot, but those shouldn't affect the
> webui.
>
> I do modify the schema by adding some attribute types for Puppet,
> namely puppetClass, parentNode, environment, puppetVar, and the object
> class puppetClient. That's basically right from one of the Puppet
> webpages and also worked in the past - and is one of the things the
> python plugin does, add the appropriate objectclass to host entries if
> puppetVar is added to a host entry.
>
> My steps to install:
> * ipa-server-install --realm=<realm> --domain=<domain> --mkhomedir
> --hostname=<hostname> --no-host-dns
> * ldapmodify -ZZ -h localhost -x -D 'cn=Directory Manager' -W
> < paste puppet schema changes>
> < paste DN entry for uid=hostadder,cn=sysaccounts,cn=etc... - a
> service account used by puppet for adding hosts to IPA >
> * login to web UI
> * * Change home directory base, default shell, default SELinux user
> * * Add SELinux user map for staff/sysadmin users
> * * Add "user adder" permission/privilege/role for users who will be
> able to create stageusers
>
> That's about as far as I got before I realized some of the plugin
> pieces weren't working, and then fixed the python plugin followed by
> working on the UI plugin and finding this problem. I'll go wipe and
> reinstall the system again and walk through the steps, but test the UI
> first and in between to see if I can find which of the steps might be
> causing things to hiccup.
>
> On Wed, Jan 25, 2017 at 1:42 PM, Pavel Vomacka <pvomacka at redhat.com> wrote:
>> Hello Steve,
>>
>> I tried to reproduce what you described on the very same version of
>> ipa-server and I was not successful. Actually I was not used your back-end
>> plugin. I tried it with no plugin and then with your UI plugin and both
>> worked correctly. Did you do any other changes somewhere in your
>> installation?
>>
>> I will try it again also with your Python plugin and we'll see.
>>
>>
>> On 01/24/2017 08:59 PM, Steve Huston wrote:
>>>
>>> And now I'm convinced this has nothing to do with my plugin and
>>> instead is a bug somewhere in FreeIPA.
>>>
>>> I removed the entirety of the "astrocustom" plugin that I wrote,
>>> restarted httpd, and force reloaded the page in chrome. I clicked to
>>> add a new user, gave the basic information, and clicked "add and
>>> edit". The bottom of the page shows the "Employee information" on the
>>> left side bottom, and the manager drop-down is empty. I entered '1'
>>> in the "employee type" field and clicked save, and now "Employee
>>> Information" is on the right side directly under "Contact settings",
>>> and the manager drop-down is populated with the list of UIDs on the
>>> system.
>>>
>>> When the UI is in the failed state, the "email address" field is also
>>> blank, but when things switch to how they should be (after submitting
>>> a change) it is populated with the email address in the record. I
>>> just tested by adding a telephone number to the record, and that also
>>> made the contact information and employee information facets refresh
>>> with the proper data. Pressing shift-reload again makes all the
>>> information disappear (including the telephone number I just entered).
>>>
>>> This is with ipa-server-4.4.0-14.el7_3.4
>>>
>>>
>>> On Mon, Jan 23, 2017 at 1:55 PM, Steve Huston
>>> <huston at astro.princeton.edu> wrote:
>>>>
>>>> Just tested again, and this is still baffling:
>>>>
>>>> * Create a stage user with the right data, works fine, can be edited.
>>>> * Enable that user, and now the two fields ('manager' and
>>>> 'employeeType') appear to have bogus data in the UI, and I cannot save
>>>> the page without changing them to something else.
>>>> * Once that user is saved, the "Employee Information" facet moves to
>>>> the right side of the page, and now shows not only the current data in
>>>> the manager drop down but also the other choices (uids). Change the
>>>> value of manager and employeetype back to what they were previously
>>>> and it saves.
>>>> * An ldapsearch run when the user is first created (as the directory
>>>> manager), and after having two edits (one to change the values to
>>>> something else to let the webui save them, and one to change them back
>>>> to what they should be and were the first time) produce completely
>>>> identical results.
>>>> * The output of "ipa user-show <uid> --all --raw" is also identical at
>>>> those same steps.
>>>>
>>>> So something, somewhere, is being saved in a way that prevents the
>>>> webui from displaying them properly, that gets fixed when those values
>>>> are manually changed via the webui.
>>>>
>>>> On Thu, Jan 19, 2017 at 2:44 PM, Steve Huston
>>>> <huston at astro.princeton.edu> wrote:
>>>>>
>>>>> Even more interesting...
>>>>>
>>>>> I tried to modify one of the records that was not displaying properly
>>>>> in the "active users" group, and sure enough the webui complained that
>>>>> the "Requested By" (relabeled "manager") field was not filled in since
>>>>> it was blank. It also, however, complained that the "User tier"
>>>>> (relabeled "employeetype") was incorrect, even though it showed the
>>>>> label associated with the value 1. I clicked the search drop-down for
>>>>> manager, typed in my own uid, and even though everything had been
>>>>> blank in the drop down before now my uid showed up. I clicked on it,
>>>>> and my uid was now in the manager field. I then clicked the drop down
>>>>> for employeetype, and chose one of the other options. I was now able
>>>>> to save the changes to the record.
>>>>>
>>>>> Upon reloading the page, the "Employee Information" facet now shoed up
>>>>> on the right side bottom, instead of the left side bottom where it was
>>>>> appearing. I was also now able to change the drop-down fields for
>>>>> manager and employeetype to another value, and save them, and they
>>>>> worked fine even filling in all the data that should have been there.
>>>>> This almost seemed like the data being returned by the server was
>>>>> flawed somehow, and confusing the webui, but once it was forced to
>>>>> have the right data and re-saved it worked fine subsequently.
>>>>>
>>>>> I looked at the output of "ipa user-show <uid> --all --raw" both
>>>>> before and after making such changes on a user, and can detect no
>>>>> difference between them.
>>>>>
>>>>> On Thu, Jan 19, 2017 at 1:14 PM, Alexander Bokovoy <abokovoy at redhat.com>
>>>>> wrote:
>>>>>>
>>>>>> On to, 19 tammi 2017, Steve Huston wrote:
>>>>>>>
>>>>>>> On Thu, Jan 19, 2017 at 11:16 AM, Alexander Bokovoy
>>>>>>> <abokovoy at redhat.com>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> In short, FreeIPA 4.2 -> 4.4 change was by splitting server and
>>>>>>>> client
>>>>>>>> side plugins into different paths (ipaserver/plugins and
>>>>>>>> ipaclient/plugins instead of being common in ipalib/plugins). The
>>>>>>>> client
>>>>>>>> code was also changed to always read metadata about API from the
>>>>>>>> server
>>>>>>>> side. This means the client can adopt to any server version that
>>>>>>>> supports API metadata.
>>>>>>>
>>>>>>>
>>>>>>> Right, and I think that the most of the plugin I had belongs
>>>>>>> server-side; in fact, that's where I migrated it to, and things work
>>>>>>> fine. I haven't tested if I can change those values with the cli, but
>>>>>>> I'm less concerned about that at the moment.
>>>>>>>
>>>>>>>> In my sample external plugin you referenced above you can see that I
>>>>>>>> have client-side change that replaces an input string by a file
>>>>>>>> reference so that a file can supplied instead of typing the content
>>>>>>>> of
>>>>>>>> the file on the command line. This is one of most used patterns for
>>>>>>>> client side plugins.
>>>>>>>
>>>>>>>
>>>>>>> In this case, my biggest problem is with the web UI. The 'manager'
>>>>>>> drop down (which I have renamed through the UI plugins to "Requested
>>>>>>> By" to show what user requested and is responsible for this account)
>>>>>>> works fine in the 'add/modify stageuser' context, but not at all in
>>>>>>> the adduser/moduser context, and I can't seem to find out why.
>>>>>>
>>>>>> I'll defer answer for this to our web UI wizards but they would need to
>>>>>> see your code to help, I'd guess.
>>>>>>
>>>>>> --
>>>>>> / Alexander Bokovoy
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
>>>>> Princeton University | ICBM Address: 40.346344 -74.652242
>>>>> 345 Lewis Library |"On my ship, the Rocinante, wheeling through
>>>>> Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
>>>>> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
>>>>
>>>>
>>>>
>>>> --
>>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
>>>> Princeton University | ICBM Address: 40.346344 -74.652242
>>>> 345 Lewis Library |"On my ship, the Rocinante, wheeling through
>>>> Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
>>>> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
>>>
>>>
>>>
>>
>> --
>> Pavel^3 Vomacka
>>
>
>
>
> --
> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
> Princeton University | ICBM Address: 40.346344 -74.652242
> 345 Lewis Library |"On my ship, the Rocinante, wheeling through
> Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
--
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
Princeton University | ICBM Address: 40.346344 -74.652242
345 Lewis Library |"On my ship, the Rocinante, wheeling through
Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
More information about the Freeipa-users
mailing list