[Freeipa-users] FreeIPA + Ipsilon

Simo Sorce ssorce at redhat.com
Fri Aug 8 20:31:40 UTC 2014 

On Thu, 2014-08-07 at 17:49 +0200, Luca Tartarini wrote:
> Hi,
> 
> thanks for the reply, with Cherrypy 3.2.2 it works. Unfortunately now when
> I try to login with 'admin' account ('admin' user created previously during
> the installation of ipa-server) I can't see the Administration tab.
> Basically this condition (in /usr/share/ipsilon/templates/index.html) is
> not satisfied:
> 
> {% if user.is_admin %}
>           <a href="{{ basepath }}/admin" id="admin">Administration</a> |
> {% endif %}
> 
> For ipsilon-server installation I run:
> 
> ipsilon-server-install --secure=no --ipa=yes --krb=yes
> 
> because I read that 'admin' is default.
> When I login with 'admin' in IPA Identity Management it is all ok (I login
> as administrator), with IPSILON I can login but not as administrator.

Is this using kerberos authentication ? Or username/password ?

If Kerberos SSO then do you have KrbLocalUserMapping On in the
<Location /idp/login/krb/negotiate> section in the file
/etc/httpd/conf.g/ipsilon-idp.conf ?

If not then the user will be seen as admin at REALM and not considered the
same as the user "admin" by ipsilon.

Simo.

> I used the last version of jinja2 (jinja2 2.7.2).
> 
> Log of ipsilon-server-install:
> 
> [2014-08-07 17:48:11,242] Intallation arguments:
> [2014-08-07 17:48:11,242] admin_user: admin
> [2014-08-07 17:48:11,242] config_profile: None
> [2014-08-07 17:48:11,242] hostname: ltartari3.cern.ch
> [2014-08-07 17:48:11,242] instance: idp
> [2014-08-07 17:48:11,242] ipa: yes
> [2014-08-07 17:48:11,243] krb: yes
> [2014-08-07 17:48:11,243] krb_httpd_keytab: /etc/httpd/conf/http.keytab
> [2014-08-07 17:48:11,243] krb_realms: None
> [2014-08-07 17:48:11,243] lm_order: ['krb']
> [2014-08-07 17:48:11,243] pam: no
> [2014-08-07 17:48:11,243] pam_service: remote
> [2014-08-07 17:48:11,243] saml2: yes
> [2014-08-07 17:48:11,243] secure: no
> [2014-08-07 17:48:11,243] server_debugging: False
> [2014-08-07 17:48:11,244] system_user: ipsilon
> [2014-08-07 17:48:11,244] testauth: no
> [2014-08-07 17:48:11,244] uninstall: False
> [2014-08-07 17:48:11,244] Installation initiated
> [2014-08-07 17:48:11,244] Installing default config files
> [2014-08-07 17:48:11,461] Configuring environment helpers
> Searching for keytab in: /etc/httpd/conf/http.keytab ... Found!
> Searching for keytab in: /etc/httpd/conf/ipa.keytab ... Found!
> [2014-08-07 17:48:11,486] Configuring login managers
> Cannot set persistent booleans without managed policy.
> [2014-08-07 17:48:12,126] Configuring Authentication Providers
> Generating a 2048 bit RSA private key
> .............+++
> ..............+++
> writing new private key to '/var/lib/ipsilon/idp/saml2/idp.key'
> -----
> Installation complete.
> Please restart HTTPD to enable the IdP instance.
> 
> 
> Thanks in advance.
> 
> Luca Tartarini
> 
> 
> 2014-08-06 17:37 GMT+02:00 Simo Sorce <ssorce at redhat.com>:
> 
> > On Wed, 2014-08-06 at 17:20 +0200, Luca Tartarini wrote:
> > > Hi,
> > >
> > > Thanks for the replies. I updated the line with:
> > >
> > > plugins_by_name = dict((p.name, p) for p in
> > self._site[FACILITY]['enabled'])
> > >
> > > and it works (the installation is completed succesfully).
> > >
> > > But now when I try to connect to:
> > >
> > >  https://myidp.example.com/idp
> > >
> > > or I try to configure ipsilon-client (ipsilon-client-install ...) I got
> > > HTTP 500 Internal Error (with ipsilon background). I put "debug = True"
> > > in /etc/ipsilon/idp/ipsilon.conf and I got this (in
> > > /var/log/httpd/error_log):
> > >
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  Available
> > > providers: ['saml2']
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [saml2] idp
> > > storage path: /var/lib/ipsilon/idp/saml2
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [saml2] idp
> > > metadata file: metadata.xml
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [saml2] idp
> > > storage path: /var/lib/ipsilon/idp/saml2
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [saml2] idp
> > key
> > > file: /var/lib/ipsilon/idp/saml2/idp.key
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [saml2] idp
> > > storage path: /var/lib/ipsilon/idp/saml2
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [saml2] idp
> > > certificate file: /var/lib/ipsilon/idp/saml2/idp.pem
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  IdP Provider
> > > registered: saml2
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [saml2]
> > enabled:
> > > 1
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  IdP Provider
> > > enabled: saml2
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  Admin login
> > > plugin: krb
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  Admin login
> > > plugin: pam
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [pam] username
> > > text: Username
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [pam] password
> > > text: Password
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [pam] service
> > > name: remote
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [pam] help
> > text:
> > > Insert your Username and Password and then submit.
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  Admin login
> > > plugin: testauth
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [testauth]
> > > username text: Username
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [testauth]
> > > password text: Password
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [testauth]
> > help
> > > text: Insert your Username and Password and then submit.
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  Admin provider
> > > plugin: saml2
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [saml2]
> > default
> > > allowed nameids: ['persistent', 'transient', 'email', 'kerberos', 'x509']
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [saml2] idp
> > > metadata file: metadata.xml
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [saml2]
> > default
> > > email domain: example.com
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [saml2] idp
> > > certificate file: /var/lib/ipsilon/idp/saml2/idp.pem
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [saml2] allow
> > > self registration: True
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [saml2] idp
> > key
> > > file: /var/lib/ipsilon/idp/saml2/idp.key
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [saml2] idp
> > > storage path: /var/lib/ipsilon/idp/saml2
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  [saml2]
> > default
> > > nameid: persistent
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  Traceback
> > (most
> > > recent call last):
> > > [Wed Aug 06 16:22:09 2014] [error]   File
> > >
> > "/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/_cprequest.py",
> > > line 104, in run
> > > [Wed Aug 06 16:22:09 2014] [error]     hook()
> > > [Wed Aug 06 16:22:09 2014] [error]   File
> > >
> > "/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/_cprequest.py",
> > > line 63, in __call__
> > > [Wed Aug 06 16:22:09 2014] [error]     return
> > self.callback(**self.kwargs)
> > > [Wed Aug 06 16:22:09 2014] [error]   File
> > > "/usr/lib/python2.6/site-packages/ipsilon/util/page.py", line 37, in
> > protect
> > > [Wed Aug 06 16:22:09 2014] [error]     UserSession().remote_login()
> > > [Wed Aug 06 16:22:09 2014] [error]   File
> > > "/usr/lib/python2.6/site-packages/ipsilon/util/user.py", line 103, in
> > > __init__
> > > [Wed Aug 06 16:22:09 2014] [error]     self.user = self.get_data('user',
> > > 'name')
> > > [Wed Aug 06 16:22:09 2014] [error]   File
> > > "/usr/lib/python2.6/site-packages/ipsilon/util/user.py", line 147, in
> > > get_data
> > > [Wed Aug 06 16:22:09 2014] [error]     if facility not in
> > cherrypy.session:
> > > [Wed Aug 06 16:22:09 2014] [error]   File
> > >
> > "/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/__init__.py",
> > > line 258, in __contains__
> > > [Wed Aug 06 16:22:09 2014] [error]     return key in child
> > > [Wed Aug 06 16:22:09 2014] [error]   File
> > >
> > "/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/lib/sessions.py",
> > > line 335, in __contains__
> > > [Wed Aug 06 16:22:09 2014] [error]     self.load()
> > > [Wed Aug 06 16:22:09 2014] [error]   File
> > >
> > "/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/lib/sessions.py",
> > > line 268, in load
> > > [Wed Aug 06 16:22:09 2014] [error]     data = self._load()
> > > [Wed Aug 06 16:22:09 2014] [error]   File
> > >
> > "/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/lib/sessions.py",
> > > line 497, in _load
> > > [Wed Aug 06 16:22:09 2014] [error]     assert self.locked, ("The session
> > > load without being locked.  "
> > > [Wed Aug 06 16:22:09 2014] [error] AssertionError: The session load
> > without
> > > being locked.  Check your tools' priority levels.
> > > [Wed Aug 06 16:22:09 2014] [error]
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] HTTP
> > > [Wed Aug 06 16:22:09 2014] [error] Request Headers:
> > > [Wed Aug 06 16:22:09 2014] [error]   COOKIE:
> > > __utma=203412483.1716219377.1393273532.1393273532.1398882487.2;
> > >
> > __utmz=203412483.1398882487.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
> > > _ga=GA1.2.1716219377.1393273532;
> > > session_id=0942ebacef3fbcf8f9b21605013b5dfa1454bc93
> > > [Wed Aug 06 16:22:09 2014] [error]   ACCEPT-LANGUAGE:
> > > it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4,fr;q=0.2
> > > [Wed Aug 06 16:22:09 2014] [error]   USER-AGENT: Mozilla/5.0 (X11; Linux
> > > x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.132
> > > Safari/537.36
> > > [Wed Aug 06 16:22:09 2014] [error]   CONNECTION: keep-alive
> > > [Wed Aug 06 16:22:09 2014] [error]   Remote-Addr: 128.141.28.32
> > > [Wed Aug 06 16:22:09 2014] [error]   HOST: ltartari3.cern.ch
> > > [Wed Aug 06 16:22:09 2014] [error]   CACHE-CONTROL: max-age=0
> > > [Wed Aug 06 16:22:09 2014] [error]   ACCEPT:
> > >
> > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> > > [Wed Aug 06 16:22:09 2014] [error]   ACCEPT-ENCODING: gzip,deflate,sdch
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] HTTP Traceback
> > > (most recent call last):
> > > [Wed Aug 06 16:22:09 2014] [error]   File
> > >
> > "/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/_cprequest.py",
> > > line 667, in respond
> > > [Wed Aug 06 16:22:09 2014] [error]     self.hooks.run('before_handler')
> > > [Wed Aug 06 16:22:09 2014] [error]   File
> > >
> > "/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/_cprequest.py",
> > > line 114, in run
> > > [Wed Aug 06 16:22:09 2014] [error]     raise exc
> > > [Wed Aug 06 16:22:09 2014] [error] AssertionError: The session load
> > without
> > > being locked.  Check your tools' priority levels.
> > > [Wed Aug 06 16:22:09 2014] [error]
> > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09]  ['500 Internal
> > > Server Error', 'The server encountered an unexpected condition which
> > > prevented it from fulfilling the request.', 'Traceback (most recent call
> > > last):\\n  File
> > >
> > "/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/_cprequest.py",
> > > line 667, in respond\\n    self.hooks.run(\\'before_handler\\')\\n  File
> > >
> > "/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/_cprequest.py",
> > > line 114, in run\\n    raise exc\\nAssertionError: The session load
> > without
> > > being locked.  Check your tools\\' priority levels.\\n', '3.5.0']
> > >
> > > and obviously "GET /idp/ HTTP/1.1" 500 1054 in /var/log/httpd/access_log
> > >
> > > Cherrypy bug?
> > >
> > > Thanks.
> >
> > I've never seen this but I am using Cherrypy 3.2.2 on F20.
> >
> > Simo.
> >
> >
> >

More information about the Freeipa-users mailing list