Thanks Alex, your comment helped me a lot and so I could fix the issue. I had exactly the
same issue.
Problem is, that none of my user hat the attribute "ipantsecurityidentifier".
I found the instruction here:
https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/...
Procedure
Enable SID usage and trigger the SIDgen task to generate SIDs for existing users and
groups. This task might be resource-intensive:
# kinit admin
# ipa config-mod --enable-sid --add-sids
Verification
Verify that the IdM admin user account entry has an ipantsecurityidentifier attribute with
a SID that ends with -500, the SID reserved for the domain administrator:
[root@server ~]# ipa user-show admin --all | grep ipantsecurityidentifier
ipantsecurityidentifier: S-1-5-21-2633809701-976279387-419745629-500
After this procedure, my admin user hat the attribute "ipantsecurityidentifier"
and I could successful login to the WebUI. The issue I encountered was, that not all of my
users had been upgraded with the new attribute. Therefore I had to delete and recreate
them.