<div>It works !!! I installed my server with --selfsign and i added in_tree=False in my api.bootstrap() method and it runs very well. Thank you guys ^^</div><div> </div>-- Meilleures salutations / Best Regards Rachid ALAHYANE <div class="gmail_quote">2010/4/23 Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"> Lots of embedded comments... ALAHYANE Rachid wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"> Hi, How about: api.bootstrap(context='webservices', debug=True, xmlrpc_uri='<a href="https://luna.greyoak.com/ipa/xml" target="_blank">https://luna.greyoak.com/ipa/xml</a>') when I do this, I get these messages --------------------------------------------------------------------- In [1]: from ipalib import api In [2]: api.bootstrap(context='webservices', debug=True, xmlrpc_uri='<a href="https://server.domain.org/ipa/xml" target="_blank">https://server.domain.org/ipa/xml</a>') In [3]: api.env.xmlrpc_uri Out[3]: u'<a href="https://server.domain.org/ipa/xml" target="_blank">https://server.domain.org/ipa/xml</a>' </div> In [4]: api.env.realm Out[4]: u'<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>>'<div><div></div><div class="h5"> In [5]: api.finalize() ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' ipa: INFO: skipping plugin module ipalib.plugins.cert: env.enable_ra is not True ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbac.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/rolegroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/taskgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' In [6]: api.Backend.xmlclient.connect() ipa: INFO: Created connection context.xmlclient In [7]: api.Command.user_show(u'admin') ipa: DEBUG: raw: user_show(u'admin') ipa: INFO: user_show(u'admin', all=False, raw=False) ipa: INFO: Forwarding 'user_show' to server u'<a href="https://server.domain.org/ipa/xml" target="_blank">https://server.domain.org/ipa/xml</a>' ipa: DEBUG: Caught fault 3008 from server <a href="https://server.domain.org/ipa/xml" target="_blank">https://server.domain.org/ipa/xml</a>: invalid 'uid': Only one value is allowed --------------------------------------------------------------------------- ConversionError Traceback (most recent call last) /root/<ipython console> in <module>() /usr/lib/python2.6/site-packages/ipalib/frontend.pyc in __call__(self, *args, **options) 399 self.validate(**params) 400 (args, options) = self.params_2_args_options(**params) --> 401 ret = self.run(*args, **options) 402 if ( 403 isinstance(ret, dict) /usr/lib/python2.6/site-packages/ipalib/frontend.pyc in run(self, *args, **options) 668 if self.api.env.in_server: 669 return self.execute(*args, **options) --> 670 return self.forward(*args, **options) 671 672 def execute(self, *args, **kw): /usr/lib/python2.6/site-packages/ipalib/frontend.pyc in forward(self, *args, **kw) 689 Forward call over XML-RPC to this same command on server. 690 """ </div></div> --> 691 return self.Backend.xmlclient.forward(<a href="http://self.name" target="_blank">self.name</a> <<a href="http://self.name" target="_blank">http://self.name</a>>, *args, **kw)<div class="im"> 692 693 def finalize(self): /usr/lib/python2.6/site-packages/ipalib/rpc.pyc in forward(self, name, *args, **kw) 412 if e.faultCode in self.__errors: 413 error = self.__errors[e.faultCode] --> 414 raise error(message=e.faultString) 415 raise UnknownError( 416 code=e.faultCode, ConversionError: invalid 'uid': Only one value is allowed --------------------------------------------------------------------- </div> For api.env.realm, u'<a href="http://DOMAIN.ORG" target="_blank">DOMAIN.ORG</a> <<a href="http://DOMAIN.ORG" target="_blank">http://DOMAIN.ORG</a>>' is expected value. it seems that api.env was not initialized correctly. </blockquote> I suspect is isn't reading the configuration file. Try adding 'in_tree=False' to your bootstrap call. This should force it to read /etc/ipa/default.conf (which I assume you have configured). <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"> Is there anything interesting logged on the server? With debug=True you get a lot more output, might show something as well. You are right, here the logs on the ipa server --------------------------------------------------------------------- ==> /var/log/httpd/error_log <== ipa: INFO: Created connection context.ldap2 ipa: DEBUG: raw: user_show((u'admin',), all=False, raw=False) ipa: INFO: Destroyed connection context.ldap2 ==> /var/log/httpd/access_log <== </div> 172.30.0.137 - <a href="mailto:raca@DOMAIN.ORG" target="_blank">raca@DOMAIN.ORG</a> <mailto:<a href="mailto:raca@DOMAIN.ORG" target="_blank">raca@DOMAIN.ORG</a>> [23/Apr/2010:18:06:16 +0200] "POST /ipa/xml HTTP/1.0" 200 315<div class="im"> ==> /var/log/httpd/error_log <== ipa: INFO: Created connection context.ldap2 ipa: DEBUG: raw: user_show((u'admin',), all=False, raw=False) ipa: INFO: Destroyed connection context.ldap2 ==> /var/log/httpd/access_log <== </div> 172.30.0.137 - <a href="mailto:raca@DOMAIN.ORG" target="_blank">raca@DOMAIN.ORG</a> <mailto:<a href="mailto:raca@DOMAIN.ORG" target="_blank">raca@DOMAIN.ORG</a>> [23/Apr/2010:18:11:53 +0200] "POST /ipa/xml HTTP/1.0" 200 315<div class="im"> --------------------------------------------------------------------- I think, I have this problem because I use two different versions of freeipa. In the one hand, I have an old version (1.9.0GIT28d8bd6-0.fc12.i686 that I generated there was a time) of freeipa on the ipa server, on the other hand I have the last version of freeIPA on the client. So, I generated new rpms from the last version of git repository and I installed them on the client and server. </div></blockquote> Yes, I think you're right here. The multiple value error is because admin is being converted into a tuple at some point. Looks ok in the client log though we'd have to enable more XML-RPC debugging to see what it is sent as on the wire. We did some recent API changes so I'm going to guess this is what the problem is, updating (or using the same version of IPA on both sides) is the right way to go. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"> But when I start ipa-server-install on the server, I get an error (hem I think that I must to post a new mail on the mailing list) ---------------------------------------------------------------------- .... .... The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring directory server for the CA: [1/4]: creating directory server user [2/4]: creating directory server instance [3/4]: configuring directory to start on boot [4/4]: restarting directory server done configuring pkids. Configuring certificate server: [1/14]: creating certificate server user [2/14]: configuring certificate server instance </div> root : CRITICAL failed to restart ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname <a href="http://server.domain.org" target="_blank">server.domain.org</a> <<a href="http://server.domain.org" target="_blank">http://server.domain.org</a>> -cs_port 9445 -client_certdb_dir /tmp/tmp-Li3Uhg -client_certdb_pwd XXXXXXXX -preop_pin cYUmg5JpkmRm3xBAlTqg -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA" -ldap_host <a href="http://server.domain.org" target="_blank">server.domain.org</a> <<a href="http://server.domain.org" target="_blank">http://server.domain.org</a>> -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA" -ca_server_cert_subject_name "CN=<a href="http://server.domain.org" target="_blank">server.domain.org</a> <<a href="http://server.domain.org" target="_blank">http://server.domain.org</a>>,O=IPA" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA" -external false -clone false' returned non-zero exit status 255<div class="im"> [3/14]: creating CA agent PKCS#12 file in /root Unexpected error - see ipaserver-install.log for details: Command '/usr/bin/pk12util -n ipa-ca-agent -o /root/ca-agent.p12 -d /tmp/tmp-Li3Uhg -k /tmp/tmphMeDU3 -w /tmp/tmphMeDU3' returned non-zero exit status 24 </div></blockquote> Yeah, mismatch in dogtag. You have two choices: 1. If you don't care about the CA at this point you can install the IPA server with --selfsign which will install a simpler, self-signed CA that uses the NSS command-line utilities for certificates. Not really the best choice for a production installation but adequate for testing. 2. Enable the updates-testing repo and update dogtag. I think that this should do it: yum --enablerepo=updates-testing update pki-* dogtag-* The problem is dogtag has pretty weak dependencies right now and at least one package is still lingering in updates-testing (pki-common). rob </blockquote></div>