[Freeipa-users] call implemented methods via xml-rpc
Rob Crittenden
rcritten at redhat.com
Fri Apr 23 17:28:05 UTC 2010
Lots of embedded comments...
ALAHYANE Rachid wrote:
> Hi,
>
>
> How about:
>
> api.bootstrap(context='webservices', debug=True,
> xmlrpc_uri='https://luna.greyoak.com/ipa/xml')
>
>
> when I do this, I get these messages
>
> ---------------------------------------------------------------------
> In [1]: from ipalib import api
>
> In [2]: api.bootstrap(context='webservices', debug=True,
> xmlrpc_uri='https://server.domain.org/ipa/xml')
>
> In [3]: api.env.xmlrpc_uri
> Out[3]: u'https://server.domain.org/ipa/xml'
>
> In [4]: api.env.realm
> Out[4]: u'EXAMPLE.COM <http://EXAMPLE.COM>'
>
> In [5]: api.finalize()
> ipa: DEBUG: importing all plugin modules in
> '/usr/lib/python2.6/site-packages/ipalib/plugins'...
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
> ipa: INFO: skipping plugin module ipalib.plugins.cert: env.enable_ra is
> not True
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbac.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/rolegroup.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/taskgroup.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
>
> In [6]: api.Backend.xmlclient.connect()
> ipa: INFO: Created connection context.xmlclient
>
> In [7]: api.Command.user_show(u'admin')
> ipa: DEBUG: raw: user_show(u'admin')
> ipa: INFO: user_show(u'admin', all=False, raw=False)
> ipa: INFO: Forwarding 'user_show' to server
> u'https://server.domain.org/ipa/xml'
> ipa: DEBUG: Caught fault 3008 from server
> https://server.domain.org/ipa/xml: invalid 'uid': Only one value is allowed
> ---------------------------------------------------------------------------
> ConversionError Traceback (most recent call last)
>
> /root/<ipython console> in <module>()
>
> /usr/lib/python2.6/site-packages/ipalib/frontend.pyc in __call__(self,
> *args, **options)
> 399 self.validate(**params)
> 400 (args, options) = self.params_2_args_options(**params)
> --> 401 ret = self.run(*args, **options)
> 402 if (
> 403 isinstance(ret, dict)
>
> /usr/lib/python2.6/site-packages/ipalib/frontend.pyc in run(self, *args,
> **options)
> 668 if self.api.env.in_server:
> 669 return self.execute(*args, **options)
> --> 670 return self.forward(*args, **options)
> 671
> 672 def execute(self, *args, **kw):
>
> /usr/lib/python2.6/site-packages/ipalib/frontend.pyc in forward(self,
> *args, **kw)
> 689 Forward call over XML-RPC to this same command on server.
> 690 """
> --> 691 return self.Backend.xmlclient.forward(self.name
> <http://self.name>, *args, **kw)
> 692
> 693 def finalize(self):
>
> /usr/lib/python2.6/site-packages/ipalib/rpc.pyc in forward(self, name,
> *args, **kw)
> 412 if e.faultCode in self.__errors:
> 413 error = self.__errors[e.faultCode]
> --> 414 raise error(message=e.faultString)
> 415 raise UnknownError(
> 416 code=e.faultCode,
>
> ConversionError: invalid 'uid': Only one value is allowed
> ---------------------------------------------------------------------
>
> For api.env.realm, u'DOMAIN.ORG <http://DOMAIN.ORG>' is expected value.
> it seems that api.env was not initialized correctly.
I suspect is isn't reading the configuration file. Try adding
'in_tree=False' to your bootstrap call. This should force it to read
/etc/ipa/default.conf (which I assume you have configured).
>
> Is there anything interesting logged on the server?
>
> With debug=True you get a lot more output, might show something as well.
>
>
> You are right, here the logs on the ipa server
>
> ---------------------------------------------------------------------
> ==> /var/log/httpd/error_log <==
> ipa: INFO: Created connection context.ldap2
> ipa: DEBUG: raw: user_show((u'admin',), all=False, raw=False)
> ipa: INFO: Destroyed connection context.ldap2
>
> ==> /var/log/httpd/access_log <==
> 172.30.0.137 - raca at DOMAIN.ORG <mailto:raca at DOMAIN.ORG>
> [23/Apr/2010:18:06:16 +0200] "POST /ipa/xml HTTP/1.0" 200 315
>
> ==> /var/log/httpd/error_log <==
> ipa: INFO: Created connection context.ldap2
> ipa: DEBUG: raw: user_show((u'admin',), all=False, raw=False)
> ipa: INFO: Destroyed connection context.ldap2
>
> ==> /var/log/httpd/access_log <==
> 172.30.0.137 - raca at DOMAIN.ORG <mailto:raca at DOMAIN.ORG>
> [23/Apr/2010:18:11:53 +0200] "POST /ipa/xml HTTP/1.0" 200 315
>
> ---------------------------------------------------------------------
>
> I think, I have this problem because I use two different versions of
> freeipa. In the one hand, I have an old version
> (1.9.0GIT28d8bd6-0.fc12.i686 that I generated there was a time) of
> freeipa on the ipa server, on the other hand I have the last version of
> freeIPA on the client. So, I generated new rpms from the last version of
> git repository and I installed them on the client and server.
Yes, I think you're right here. The multiple value error is because
admin is being converted into a tuple at some point. Looks ok in the
client log though we'd have to enable more XML-RPC debugging to see what
it is sent as on the wire. We did some recent API changes so I'm going
to guess this is what the problem is, updating (or using the same
version of IPA on both sides) is the right way to go.
>
> But when I start ipa-server-install on the server, I get an error (hem I
> think that I must to post a new mail on the mailing list)
>
> ----------------------------------------------------------------------
> ....
> ....
> The following operations may take some minutes to complete.
> Please wait until the prompt is returned.
>
> Configuring directory server for the CA:
> [1/4]: creating directory server user
> [2/4]: creating directory server instance
> [3/4]: configuring directory to start on boot
> [4/4]: restarting directory server
> done configuring pkids.
> Configuring certificate server:
> [1/14]: creating certificate server user
> [2/14]: configuring certificate server instance
> root : CRITICAL failed to restart ca instance Command
> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> server.domain.org <http://server.domain.org> -cs_port 9445
> -client_certdb_dir /tmp/tmp-Li3Uhg -client_certdb_pwd XXXXXXXX
> -preop_pin cYUmg5JpkmRm3xBAlTqg -domain_name IPA -admin_user admin
> -admin_email root at localhost -admin_password XXXXXXXX -agent_name
> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
> -agent_cert_subject "CN=ipa-ca-agent,O=IPA" -ldap_host server.domain.org
> <http://server.domain.org> -ldap_port 7389 -bind_dn "cn=Directory
> Manager" -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca
> -key_size 2048 -key_type rsa -save_p12 true -backup_pwd XXXXXXXX
> -subsystem_name pki-cad -token_name internal
> -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA"
> -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA"
> -ca_server_cert_subject_name "CN=server.domain.org
> <http://server.domain.org>,O=IPA" -ca_audit_signing_cert_subject_name
> "CN=CA Audit,O=IPA" -ca_sign_cert_subject_name "CN=Certificate
> Authority,O=IPA" -external false -clone false' returned non-zero exit
> status 255
> [3/14]: creating CA agent PKCS#12 file in /root
> Unexpected error - see ipaserver-install.log for details:
> Command '/usr/bin/pk12util -n ipa-ca-agent -o /root/ca-agent.p12 -d
> /tmp/tmp-Li3Uhg -k /tmp/tmphMeDU3 -w /tmp/tmphMeDU3' returned non-zero
> exit status 24
Yeah, mismatch in dogtag. You have two choices:
1. If you don't care about the CA at this point you can install the IPA
server with --selfsign which will install a simpler, self-signed CA that
uses the NSS command-line utilities for certificates. Not really the
best choice for a production installation but adequate for testing.
2. Enable the updates-testing repo and update dogtag. I think that this
should do it: yum --enablerepo=updates-testing update pki-* dogtag-*
The problem is dogtag has pretty weak dependencies right now and at
least one package is still lingering in updates-testing (pki-common).
rob
More information about the Freeipa-users
mailing list