[Freeipa-users] Backend & UI plugin update for 4.4.x

Steve Huston huston at astro.princeton.edu
Wed Feb 1 16:47:50 UTC 2017 

Would it be better to file this as a new bug, or reopen 4291?

On Tue, Jan 31, 2017 at 5:00 PM, Steve Huston
<huston at astro.princeton.edu> wrote:
> Seems like this is to blame:  https://fedorahosted.org/freeipa/ticket/4291
>
> The checkin says, "Installation in pure IPv6 environment failed
> because pki-tomcat tried to use
> IPv4 loopback. Configuring tomcat to use IPv6 loopback instead of IPv4
> fixes this issue."  However it would seem that in a pure IPv4
> environment, this is causing tomcat to fail to load.
>
> On Tue, Jan 31, 2017 at 4:36 PM, Steve Huston
> <huston at astro.princeton.edu> wrote:
>> What defines the contents of /var/lib/pki/pki-tomcat/conf/server.xml?
>>
>>     <!-- Define an AJP 1.3 Connector on port 8009 -->
>>
>>     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
>> address="::1" />
>>
>> Doesn't work so well on a host without IPv6 turned on...
>>
>> Jan 31 14:26:59 ipa server: PKIListener:
>> org.apache.catalina.core.StandardServer[before_init]
>> Jan 31 14:27:00 ipa server: SEVERE: Failed to initialize end point
>> associated with ProtocolHandler ["ajp-bio-0:0:0:0:0:0:0:1-8009"]
>> Jan 31 14:27:00 ipa server: java.net.SocketException: Protocol family
>> unavailable
>>
>> On Fri, Jan 27, 2017 at 4:23 PM, Steve Huston
>> <huston at astro.princeton.edu> wrote:
>>> Stranger, I did an install on a different VM with the CentOS 7 minimal
>>> ISO, then installed ipa-server and enough things to get X11 and
>>> Firefox, ran ipa-server-install and it worked fine.  I tested with
>>> Firefox (and Safari) against my failing installation and it still
>>> fails.  So there's something else different that's causing it to
>>> break.  Will continue investigating, but if someone knows why the UI
>>> would break this way it would be helpful to know where to look!
>>>
>>> On Thu, Jan 26, 2017 at 11:53 AM, Steve Huston
>>> <huston at astro.princeton.edu> wrote:
>>>> Just did it again with the same result.  Reinstalled the machine, then
>>>> did a 'yum install ipa-server python2-ipaserver httpd' which pulled in
>>>> version 4.4.0-14.el7_3.4 and a bunch of other packages.  Next was the
>>>> ipa-server-install as I used before, only without --mkhomedir this
>>>> time.  After entering the passwords for directory administrator and
>>>> the admin user, I then logged in to the web interface, immediately
>>>> clicked "add" and added a user 'foobar'.  When I clicked "add and
>>>> edit" and was brought to the user information page, it looks like this
>>>> at the bottom:
>>>>
>>>> https://www.dropbox.com/s/e67j8rdaq9wvkni/Screenshot%202017-01-26%2011.33.03.png?dl=0
>>>>
>>>> I then entered an employee number of '0001' just to give something to
>>>> save, and clicked save.  The screen now shows this (I've clicked the
>>>> drop-down on the manager field so the choices are visible):
>>>>
>>>> https://www.dropbox.com/s/oxmqwf2rsz15grd/Screenshot%202017-01-26%2011.33.58.png?dl=0
>>>>
>>>> Holding shift and clicking reload, the page now looks like this (the
>>>> employee number field is also blank again):
>>>>
>>>> https://www.dropbox.com/s/f8ptycnetvsxjnb/Screenshot%202017-01-26%2011.35.03.png?dl=0
>>>>
>>>> Since we do run a repackaged distribution here (Springdale Linux), I
>>>> just unpacked ipa-server-common from our repository with the above
>>>> version, and http://mirror.centos.org/centos/7/updates/x86_64/Packages/ipa-server-common-4.4.0-14.el7.centos.4.noarch.rpm,
>>>> and 'diff' found zero differences between them.  Unlikely, but I
>>>> wanted to rule out a packaging error causing the problem.
>>>>
>>>> On Wed, Jan 25, 2017 at 4:12 PM, Steve Huston
>>>> <huston at astro.princeton.edu> wrote:
>>>>> No, that should be all of the major changes; the puppet module that
>>>>> installs things only puts the two plugin files in their respective
>>>>> places.  The client part of the IPA module makes changes to have the
>>>>> machine join the domain and whatnot, but those shouldn't affect the
>>>>> webui.
>>>>>
>>>>> I do modify the schema by adding some attribute types for Puppet,
>>>>> namely puppetClass, parentNode, environment, puppetVar, and the object
>>>>> class puppetClient.  That's basically right from one of the Puppet
>>>>> webpages and also worked in the past - and is one of the things the
>>>>> python plugin does, add the appropriate objectclass to host entries if
>>>>> puppetVar is added to a host entry.
>>>>>
>>>>> My steps to install:
>>>>> * ipa-server-install --realm=<realm> --domain=<domain> --mkhomedir
>>>>> --hostname=<hostname> --no-host-dns
>>>>> * ldapmodify -ZZ -h localhost -x -D 'cn=Directory Manager' -W
>>>>>   < paste puppet schema changes>
>>>>>   < paste DN entry for uid=hostadder,cn=sysaccounts,cn=etc... - a
>>>>> service account used by puppet for adding hosts to IPA >
>>>>> * login to web UI
>>>>> * * Change home directory base, default shell, default SELinux user
>>>>> * * Add SELinux user map for staff/sysadmin users
>>>>> * * Add "user adder" permission/privilege/role for users who will be
>>>>> able to create stageusers
>>>>>
>>>>> That's about as far as I got before I realized some of the plugin
>>>>> pieces weren't working, and then fixed the python plugin followed by
>>>>> working on the UI plugin and finding this problem.  I'll go wipe and
>>>>> reinstall the system again and walk through the steps, but test the UI
>>>>> first and in between to see if I can find which of the steps might be
>>>>> causing things to hiccup.
>>>>>
>>>>> On Wed, Jan 25, 2017 at 1:42 PM, Pavel Vomacka <pvomacka at redhat.com> wrote:
>>>>>> Hello Steve,
>>>>>>
>>>>>> I tried to reproduce what you described on the very same version of
>>>>>> ipa-server and I was not successful. Actually I was not used your back-end
>>>>>> plugin. I tried it with no plugin and then with your UI plugin and both
>>>>>> worked correctly. Did you do any other changes somewhere in your
>>>>>> installation?
>>>>>>
>>>>>> I will try it again also with your Python plugin and we'll see.
>>>>>>
>>>>>>
>>>>>> On 01/24/2017 08:59 PM, Steve Huston wrote:
>>>>>>>
>>>>>>> And now I'm convinced this has nothing to do with my plugin and
>>>>>>> instead is a bug somewhere in FreeIPA.
>>>>>>>
>>>>>>> I removed the entirety of the "astrocustom" plugin that I wrote,
>>>>>>> restarted httpd, and force reloaded the page in chrome.  I clicked to
>>>>>>> add a new user, gave the basic information, and clicked "add and
>>>>>>> edit".  The bottom of the page shows the "Employee information" on the
>>>>>>> left side bottom, and the manager drop-down is empty.  I entered '1'
>>>>>>> in the "employee type" field and clicked save, and now "Employee
>>>>>>> Information" is on the right side directly under "Contact settings",
>>>>>>> and the manager drop-down is populated with the list of UIDs on the
>>>>>>> system.
>>>>>>>
>>>>>>> When the UI is in the failed state, the "email address" field is also
>>>>>>> blank, but when things switch to how they should be (after submitting
>>>>>>> a change) it is populated with the email address in the record.  I
>>>>>>> just tested by adding a telephone number to the record, and that also
>>>>>>> made the contact information and employee information facets refresh
>>>>>>> with the proper data.  Pressing shift-reload again makes all the
>>>>>>> information disappear (including the telephone number I just entered).
>>>>>>>
>>>>>>> This is with ipa-server-4.4.0-14.el7_3.4
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Jan 23, 2017 at 1:55 PM, Steve Huston
>>>>>>> <huston at astro.princeton.edu> wrote:
>>>>>>>>
>>>>>>>> Just tested again, and this is still baffling:
>>>>>>>>
>>>>>>>> * Create a stage user with the right data, works fine, can be edited.
>>>>>>>> * Enable that user, and now the two fields ('manager' and
>>>>>>>> 'employeeType') appear to have bogus data in the UI, and I cannot save
>>>>>>>> the page without changing them to something else.
>>>>>>>> * Once that user is saved, the "Employee Information" facet moves to
>>>>>>>> the right side of the page, and now shows not only the current data in
>>>>>>>> the manager drop down but also the other choices (uids).  Change the
>>>>>>>> value of manager and employeetype back to what they were previously
>>>>>>>> and it saves.
>>>>>>>> * An ldapsearch run when the user is first created (as the directory
>>>>>>>> manager), and after having two edits (one to change the values to
>>>>>>>> something else to let the webui save them, and one to change them back
>>>>>>>> to what they should be and were the first time) produce completely
>>>>>>>> identical results.
>>>>>>>> * The output of "ipa user-show <uid> --all --raw" is also identical at
>>>>>>>> those same steps.
>>>>>>>>
>>>>>>>> So something, somewhere, is being saved in a way that prevents the
>>>>>>>> webui from displaying them properly, that gets fixed when those values
>>>>>>>> are manually changed via the webui.
>>>>>>>>
>>>>>>>> On Thu, Jan 19, 2017 at 2:44 PM, Steve Huston
>>>>>>>> <huston at astro.princeton.edu> wrote:
>>>>>>>>>
>>>>>>>>> Even more interesting...
>>>>>>>>>
>>>>>>>>> I tried to modify one of the records that was not displaying properly
>>>>>>>>> in the "active users" group, and sure enough the webui complained that
>>>>>>>>> the "Requested By" (relabeled "manager") field was not filled in since
>>>>>>>>> it was blank.  It also, however, complained that the "User tier"
>>>>>>>>> (relabeled "employeetype") was incorrect, even though it showed the
>>>>>>>>> label associated with the value 1.  I clicked the search drop-down for
>>>>>>>>> manager, typed in my own uid, and even though everything had been
>>>>>>>>> blank in the drop down before now my uid showed up.  I clicked on it,
>>>>>>>>> and my uid was now in the manager field.  I then clicked the drop down
>>>>>>>>> for employeetype, and chose one of the other options.  I was now able
>>>>>>>>> to save the changes to the record.
>>>>>>>>>
>>>>>>>>> Upon reloading the page, the "Employee Information" facet now shoed up
>>>>>>>>> on the right side bottom, instead of the left side bottom where it was
>>>>>>>>> appearing.  I was also now able to change the drop-down fields for
>>>>>>>>> manager and employeetype to another value, and save them, and they
>>>>>>>>> worked fine even filling in all the data that should have been there.
>>>>>>>>> This almost seemed like the data being returned by the server was
>>>>>>>>> flawed somehow, and confusing the webui, but once it was forced to
>>>>>>>>> have the right data and re-saved it worked fine subsequently.
>>>>>>>>>
>>>>>>>>> I looked at the output of "ipa user-show <uid> --all --raw" both
>>>>>>>>> before and after making such changes on a user, and can detect no
>>>>>>>>> difference between them.
>>>>>>>>>
>>>>>>>>> On Thu, Jan 19, 2017 at 1:14 PM, Alexander Bokovoy <abokovoy at redhat.com>
>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> On to, 19 tammi 2017, Steve Huston wrote:
>>>>>>>>>>>
>>>>>>>>>>> On Thu, Jan 19, 2017 at 11:16 AM, Alexander Bokovoy
>>>>>>>>>>> <abokovoy at redhat.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> In short, FreeIPA 4.2 -> 4.4 change was by splitting server and
>>>>>>>>>>>> client
>>>>>>>>>>>> side plugins into different paths (ipaserver/plugins and
>>>>>>>>>>>> ipaclient/plugins instead of being common in ipalib/plugins). The
>>>>>>>>>>>> client
>>>>>>>>>>>> code was also changed to always read metadata about API from the
>>>>>>>>>>>> server
>>>>>>>>>>>> side. This means the client can adopt to any server version that
>>>>>>>>>>>> supports API metadata.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Right, and I think that the most of the plugin I had belongs
>>>>>>>>>>> server-side; in fact, that's where I migrated it to, and things work
>>>>>>>>>>> fine.  I haven't tested if I can change those values with the cli, but
>>>>>>>>>>> I'm less concerned about that at the moment.
>>>>>>>>>>>
>>>>>>>>>>>> In my sample external plugin you referenced above you can see that I
>>>>>>>>>>>> have client-side change that replaces an input string by a file
>>>>>>>>>>>> reference so that a file can supplied instead of typing the content
>>>>>>>>>>>> of
>>>>>>>>>>>> the file on the command line. This is one of most used patterns for
>>>>>>>>>>>> client side plugins.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> In this case, my biggest problem is with the web UI.  The 'manager'
>>>>>>>>>>> drop down (which I have renamed through the UI plugins to "Requested
>>>>>>>>>>> By" to show what user requested and is responsible for this account)
>>>>>>>>>>> works fine in the 'add/modify stageuser' context, but not at all in
>>>>>>>>>>> the adduser/moduser context, and I can't seem to find out why.
>>>>>>>>>>
>>>>>>>>>> I'll defer answer for this to our web UI wizards but they would need to
>>>>>>>>>> see your code to help, I'd guess.
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> / Alexander Bokovoy
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
>>>>>>>>>    Princeton University  |    ICBM Address: 40.346344   -74.652242
>>>>>>>>>      345 Lewis Library   |"On my ship, the Rocinante, wheeling through
>>>>>>>>>    Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
>>>>>>>>>      (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
>>>>>>>>    Princeton University  |    ICBM Address: 40.346344   -74.652242
>>>>>>>>      345 Lewis Library   |"On my ship, the Rocinante, wheeling through
>>>>>>>>    Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
>>>>>>>>      (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Pavel^3 Vomacka
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
>>>>>   Princeton University  |    ICBM Address: 40.346344   -74.652242
>>>>>     345 Lewis Library   |"On my ship, the Rocinante, wheeling through
>>>>>   Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
>>>>>     (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'
>>>>
>>>>
>>>>
>>>> --
>>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
>>>>   Princeton University  |    ICBM Address: 40.346344   -74.652242
>>>>     345 Lewis Library   |"On my ship, the Rocinante, wheeling through
>>>>   Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
>>>>     (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'
>>>
>>>
>>>
>>> --
>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
>>>   Princeton University  |    ICBM Address: 40.346344   -74.652242
>>>     345 Lewis Library   |"On my ship, the Rocinante, wheeling through
>>>   Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
>>>     (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'
>>
>>
>>
>> --
>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
>>   Princeton University  |    ICBM Address: 40.346344   -74.652242
>>     345 Lewis Library   |"On my ship, the Rocinante, wheeling through
>>   Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
>>     (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'
>
>
>
> --
> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
>   Princeton University  |    ICBM Address: 40.346344   -74.652242
>     345 Lewis Library   |"On my ship, the Rocinante, wheeling through
>   Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
>     (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'



-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |    ICBM Address: 40.346344   -74.652242
    345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
    (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'

More information about the Freeipa-users mailing list