[Freeipa-users] Backend & UI plugin update for 4.4.x
Steve Huston
huston at astro.princeton.edu
Wed Feb 1 17:10:26 UTC 2017
Awesome! Thank you.
On Wed, Feb 1, 2017 at 12:05 PM, Florence Blanc-Renaud <flo at redhat.com> wrote:
> On 02/01/2017 05:47 PM, Steve Huston wrote:
>>
>> Would it be better to file this as a new bug, or reopen 4291?
>>
> Hi,
>
> we are already aware of the problem and working on a fix (please see
> https://bugzilla.redhat.com/show_bug.cgi?id=1398600 and
> https://fedorahosted.org/freeipa/ticket/6575).
>
> HTH,
> Flo.
>
>
>> On Tue, Jan 31, 2017 at 5:00 PM, Steve Huston
>> <huston at astro.princeton.edu> wrote:
>>>
>>> Seems like this is to blame:
>>> https://fedorahosted.org/freeipa/ticket/4291
>>>
>>> The checkin says, "Installation in pure IPv6 environment failed
>>> because pki-tomcat tried to use
>>> IPv4 loopback. Configuring tomcat to use IPv6 loopback instead of IPv4
>>> fixes this issue." However it would seem that in a pure IPv4
>>> environment, this is causing tomcat to fail to load.
>>>
>>> On Tue, Jan 31, 2017 at 4:36 PM, Steve Huston
>>> <huston at astro.princeton.edu> wrote:
>>>>
>>>> What defines the contents of /var/lib/pki/pki-tomcat/conf/server.xml?
>>>>
>>>> <!-- Define an AJP 1.3 Connector on port 8009 -->
>>>>
>>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
>>>> address="::1" />
>>>>
>>>> Doesn't work so well on a host without IPv6 turned on...
>>>>
>>>> Jan 31 14:26:59 ipa server: PKIListener:
>>>> org.apache.catalina.core.StandardServer[before_init]
>>>> Jan 31 14:27:00 ipa server: SEVERE: Failed to initialize end point
>>>> associated with ProtocolHandler ["ajp-bio-0:0:0:0:0:0:0:1-8009"]
>>>> Jan 31 14:27:00 ipa server: java.net.SocketException: Protocol family
>>>> unavailable
>>>>
>>>> On Fri, Jan 27, 2017 at 4:23 PM, Steve Huston
>>>> <huston at astro.princeton.edu> wrote:
>>>>>
>>>>> Stranger, I did an install on a different VM with the CentOS 7 minimal
>>>>> ISO, then installed ipa-server and enough things to get X11 and
>>>>> Firefox, ran ipa-server-install and it worked fine. I tested with
>>>>> Firefox (and Safari) against my failing installation and it still
>>>>> fails. So there's something else different that's causing it to
>>>>> break. Will continue investigating, but if someone knows why the UI
>>>>> would break this way it would be helpful to know where to look!
>>>>>
>>>>> On Thu, Jan 26, 2017 at 11:53 AM, Steve Huston
>>>>> <huston at astro.princeton.edu> wrote:
>>>>>>
>>>>>> Just did it again with the same result. Reinstalled the machine, then
>>>>>> did a 'yum install ipa-server python2-ipaserver httpd' which pulled in
>>>>>> version 4.4.0-14.el7_3.4 and a bunch of other packages. Next was the
>>>>>> ipa-server-install as I used before, only without --mkhomedir this
>>>>>> time. After entering the passwords for directory administrator and
>>>>>> the admin user, I then logged in to the web interface, immediately
>>>>>> clicked "add" and added a user 'foobar'. When I clicked "add and
>>>>>> edit" and was brought to the user information page, it looks like this
>>>>>> at the bottom:
>>>>>>
>>>>>>
>>>>>> https://www.dropbox.com/s/e67j8rdaq9wvkni/Screenshot%202017-01-26%2011.33.03.png?dl=0
>>>>>>
>>>>>> I then entered an employee number of '0001' just to give something to
>>>>>> save, and clicked save. The screen now shows this (I've clicked the
>>>>>> drop-down on the manager field so the choices are visible):
>>>>>>
>>>>>>
>>>>>> https://www.dropbox.com/s/oxmqwf2rsz15grd/Screenshot%202017-01-26%2011.33.58.png?dl=0
>>>>>>
>>>>>> Holding shift and clicking reload, the page now looks like this (the
>>>>>> employee number field is also blank again):
>>>>>>
>>>>>>
>>>>>> https://www.dropbox.com/s/f8ptycnetvsxjnb/Screenshot%202017-01-26%2011.35.03.png?dl=0
>>>>>>
>>>>>> Since we do run a repackaged distribution here (Springdale Linux), I
>>>>>> just unpacked ipa-server-common from our repository with the above
>>>>>> version, and
>>>>>> http://mirror.centos.org/centos/7/updates/x86_64/Packages/ipa-server-common-4.4.0-14.el7.centos.4.noarch.rpm,
>>>>>> and 'diff' found zero differences between them. Unlikely, but I
>>>>>> wanted to rule out a packaging error causing the problem.
>>>>>>
>>>>>> On Wed, Jan 25, 2017 at 4:12 PM, Steve Huston
>>>>>> <huston at astro.princeton.edu> wrote:
>>>>>>>
>>>>>>> No, that should be all of the major changes; the puppet module that
>>>>>>> installs things only puts the two plugin files in their respective
>>>>>>> places. The client part of the IPA module makes changes to have the
>>>>>>> machine join the domain and whatnot, but those shouldn't affect the
>>>>>>> webui.
>>>>>>>
>>>>>>> I do modify the schema by adding some attribute types for Puppet,
>>>>>>> namely puppetClass, parentNode, environment, puppetVar, and the
>>>>>>> object
>>>>>>> class puppetClient. That's basically right from one of the Puppet
>>>>>>> webpages and also worked in the past - and is one of the things the
>>>>>>> python plugin does, add the appropriate objectclass to host entries
>>>>>>> if
>>>>>>> puppetVar is added to a host entry.
>>>>>>>
>>>>>>> My steps to install:
>>>>>>> * ipa-server-install --realm=<realm> --domain=<domain> --mkhomedir
>>>>>>> --hostname=<hostname> --no-host-dns
>>>>>>> * ldapmodify -ZZ -h localhost -x -D 'cn=Directory Manager' -W
>>>>>>> < paste puppet schema changes>
>>>>>>> < paste DN entry for uid=hostadder,cn=sysaccounts,cn=etc... - a
>>>>>>> service account used by puppet for adding hosts to IPA >
>>>>>>> * login to web UI
>>>>>>> * * Change home directory base, default shell, default SELinux user
>>>>>>> * * Add SELinux user map for staff/sysadmin users
>>>>>>> * * Add "user adder" permission/privilege/role for users who will be
>>>>>>> able to create stageusers
>>>>>>>
>>>>>>> That's about as far as I got before I realized some of the plugin
>>>>>>> pieces weren't working, and then fixed the python plugin followed by
>>>>>>> working on the UI plugin and finding this problem. I'll go wipe and
>>>>>>> reinstall the system again and walk through the steps, but test the
>>>>>>> UI
>>>>>>> first and in between to see if I can find which of the steps might be
>>>>>>> causing things to hiccup.
>>>>>>>
>>>>>>> On Wed, Jan 25, 2017 at 1:42 PM, Pavel Vomacka <pvomacka at redhat.com>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hello Steve,
>>>>>>>>
>>>>>>>> I tried to reproduce what you described on the very same version of
>>>>>>>> ipa-server and I was not successful. Actually I was not used your
>>>>>>>> back-end
>>>>>>>> plugin. I tried it with no plugin and then with your UI plugin and
>>>>>>>> both
>>>>>>>> worked correctly. Did you do any other changes somewhere in your
>>>>>>>> installation?
>>>>>>>>
>>>>>>>> I will try it again also with your Python plugin and we'll see.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 01/24/2017 08:59 PM, Steve Huston wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> And now I'm convinced this has nothing to do with my plugin and
>>>>>>>>> instead is a bug somewhere in FreeIPA.
>>>>>>>>>
>>>>>>>>> I removed the entirety of the "astrocustom" plugin that I wrote,
>>>>>>>>> restarted httpd, and force reloaded the page in chrome. I clicked
>>>>>>>>> to
>>>>>>>>> add a new user, gave the basic information, and clicked "add and
>>>>>>>>> edit". The bottom of the page shows the "Employee information" on
>>>>>>>>> the
>>>>>>>>> left side bottom, and the manager drop-down is empty. I entered
>>>>>>>>> '1'
>>>>>>>>> in the "employee type" field and clicked save, and now "Employee
>>>>>>>>> Information" is on the right side directly under "Contact
>>>>>>>>> settings",
>>>>>>>>> and the manager drop-down is populated with the list of UIDs on the
>>>>>>>>> system.
>>>>>>>>>
>>>>>>>>> When the UI is in the failed state, the "email address" field is
>>>>>>>>> also
>>>>>>>>> blank, but when things switch to how they should be (after
>>>>>>>>> submitting
>>>>>>>>> a change) it is populated with the email address in the record. I
>>>>>>>>> just tested by adding a telephone number to the record, and that
>>>>>>>>> also
>>>>>>>>> made the contact information and employee information facets
>>>>>>>>> refresh
>>>>>>>>> with the proper data. Pressing shift-reload again makes all the
>>>>>>>>> information disappear (including the telephone number I just
>>>>>>>>> entered).
>>>>>>>>>
>>>>>>>>> This is with ipa-server-4.4.0-14.el7_3.4
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon, Jan 23, 2017 at 1:55 PM, Steve Huston
>>>>>>>>> <huston at astro.princeton.edu> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Just tested again, and this is still baffling:
>>>>>>>>>>
>>>>>>>>>> * Create a stage user with the right data, works fine, can be
>>>>>>>>>> edited.
>>>>>>>>>> * Enable that user, and now the two fields ('manager' and
>>>>>>>>>> 'employeeType') appear to have bogus data in the UI, and I cannot
>>>>>>>>>> save
>>>>>>>>>> the page without changing them to something else.
>>>>>>>>>> * Once that user is saved, the "Employee Information" facet moves
>>>>>>>>>> to
>>>>>>>>>> the right side of the page, and now shows not only the current
>>>>>>>>>> data in
>>>>>>>>>> the manager drop down but also the other choices (uids). Change
>>>>>>>>>> the
>>>>>>>>>> value of manager and employeetype back to what they were
>>>>>>>>>> previously
>>>>>>>>>> and it saves.
>>>>>>>>>> * An ldapsearch run when the user is first created (as the
>>>>>>>>>> directory
>>>>>>>>>> manager), and after having two edits (one to change the values to
>>>>>>>>>> something else to let the webui save them, and one to change them
>>>>>>>>>> back
>>>>>>>>>> to what they should be and were the first time) produce completely
>>>>>>>>>> identical results.
>>>>>>>>>> * The output of "ipa user-show <uid> --all --raw" is also
>>>>>>>>>> identical at
>>>>>>>>>> those same steps.
>>>>>>>>>>
>>>>>>>>>> So something, somewhere, is being saved in a way that prevents the
>>>>>>>>>> webui from displaying them properly, that gets fixed when those
>>>>>>>>>> values
>>>>>>>>>> are manually changed via the webui.
>>>>>>>>>>
>>>>>>>>>> On Thu, Jan 19, 2017 at 2:44 PM, Steve Huston
>>>>>>>>>> <huston at astro.princeton.edu> wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Even more interesting...
>>>>>>>>>>>
>>>>>>>>>>> I tried to modify one of the records that was not displaying
>>>>>>>>>>> properly
>>>>>>>>>>> in the "active users" group, and sure enough the webui complained
>>>>>>>>>>> that
>>>>>>>>>>> the "Requested By" (relabeled "manager") field was not filled in
>>>>>>>>>>> since
>>>>>>>>>>> it was blank. It also, however, complained that the "User tier"
>>>>>>>>>>> (relabeled "employeetype") was incorrect, even though it showed
>>>>>>>>>>> the
>>>>>>>>>>> label associated with the value 1. I clicked the search
>>>>>>>>>>> drop-down for
>>>>>>>>>>> manager, typed in my own uid, and even though everything had been
>>>>>>>>>>> blank in the drop down before now my uid showed up. I clicked on
>>>>>>>>>>> it,
>>>>>>>>>>> and my uid was now in the manager field. I then clicked the drop
>>>>>>>>>>> down
>>>>>>>>>>> for employeetype, and chose one of the other options. I was now
>>>>>>>>>>> able
>>>>>>>>>>> to save the changes to the record.
>>>>>>>>>>>
>>>>>>>>>>> Upon reloading the page, the "Employee Information" facet now
>>>>>>>>>>> shoed up
>>>>>>>>>>> on the right side bottom, instead of the left side bottom where
>>>>>>>>>>> it was
>>>>>>>>>>> appearing. I was also now able to change the drop-down fields
>>>>>>>>>>> for
>>>>>>>>>>> manager and employeetype to another value, and save them, and
>>>>>>>>>>> they
>>>>>>>>>>> worked fine even filling in all the data that should have been
>>>>>>>>>>> there.
>>>>>>>>>>> This almost seemed like the data being returned by the server was
>>>>>>>>>>> flawed somehow, and confusing the webui, but once it was forced
>>>>>>>>>>> to
>>>>>>>>>>> have the right data and re-saved it worked fine subsequently.
>>>>>>>>>>>
>>>>>>>>>>> I looked at the output of "ipa user-show <uid> --all --raw" both
>>>>>>>>>>> before and after making such changes on a user, and can detect no
>>>>>>>>>>> difference between them.
>>>>>>>>>>>
>>>>>>>>>>> On Thu, Jan 19, 2017 at 1:14 PM, Alexander Bokovoy
>>>>>>>>>>> <abokovoy at redhat.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On to, 19 tammi 2017, Steve Huston wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Thu, Jan 19, 2017 at 11:16 AM, Alexander Bokovoy
>>>>>>>>>>>>> <abokovoy at redhat.com>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> In short, FreeIPA 4.2 -> 4.4 change was by splitting server
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>> client
>>>>>>>>>>>>>> side plugins into different paths (ipaserver/plugins and
>>>>>>>>>>>>>> ipaclient/plugins instead of being common in ipalib/plugins).
>>>>>>>>>>>>>> The
>>>>>>>>>>>>>> client
>>>>>>>>>>>>>> code was also changed to always read metadata about API from
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> server
>>>>>>>>>>>>>> side. This means the client can adopt to any server version
>>>>>>>>>>>>>> that
>>>>>>>>>>>>>> supports API metadata.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Right, and I think that the most of the plugin I had belongs
>>>>>>>>>>>>> server-side; in fact, that's where I migrated it to, and things
>>>>>>>>>>>>> work
>>>>>>>>>>>>> fine. I haven't tested if I can change those values with the
>>>>>>>>>>>>> cli, but
>>>>>>>>>>>>> I'm less concerned about that at the moment.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> In my sample external plugin you referenced above you can see
>>>>>>>>>>>>>> that I
>>>>>>>>>>>>>> have client-side change that replaces an input string by a
>>>>>>>>>>>>>> file
>>>>>>>>>>>>>> reference so that a file can supplied instead of typing the
>>>>>>>>>>>>>> content
>>>>>>>>>>>>>> of
>>>>>>>>>>>>>> the file on the command line. This is one of most used
>>>>>>>>>>>>>> patterns for
>>>>>>>>>>>>>> client side plugins.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> In this case, my biggest problem is with the web UI. The
>>>>>>>>>>>>> 'manager'
>>>>>>>>>>>>> drop down (which I have renamed through the UI plugins to
>>>>>>>>>>>>> "Requested
>>>>>>>>>>>>> By" to show what user requested and is responsible for this
>>>>>>>>>>>>> account)
>>>>>>>>>>>>> works fine in the 'add/modify stageuser' context, but not at
>>>>>>>>>>>>> all in
>>>>>>>>>>>>> the adduser/moduser context, and I can't seem to find out why.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I'll defer answer for this to our web UI wizards but they would
>>>>>>>>>>>> need to
>>>>>>>>>>>> see your code to help, I'd guess.
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> / Alexander Bokovoy
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES &
>>>>>>>>>>> Astrophysical Sci
>>>>>>>>>>> Princeton University | ICBM Address: 40.346344
>>>>>>>>>>> -74.652242
>>>>>>>>>>> 345 Lewis Library |"On my ship, the Rocinante, wheeling
>>>>>>>>>>> through
>>>>>>>>>>> Princeton, NJ 08544 | the galaxies; headed for the heart of
>>>>>>>>>>> Cygnus,
>>>>>>>>>>> (267) 793-0852 | headlong into mystery." -Rush,
>>>>>>>>>>> 'Cygnus X-1'
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical
>>>>>>>>>> Sci
>>>>>>>>>> Princeton University | ICBM Address: 40.346344 -74.652242
>>>>>>>>>> 345 Lewis Library |"On my ship, the Rocinante, wheeling
>>>>>>>>>> through
>>>>>>>>>> Princeton, NJ 08544 | the galaxies; headed for the heart of
>>>>>>>>>> Cygnus,
>>>>>>>>>> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus
>>>>>>>>>> X-1'
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Pavel^3 Vomacka
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical
>>>>>>> Sci
>>>>>>> Princeton University | ICBM Address: 40.346344 -74.652242
>>>>>>> 345 Lewis Library |"On my ship, the Rocinante, wheeling through
>>>>>>> Princeton, NJ 08544 | the galaxies; headed for the heart of
>>>>>>> Cygnus,
>>>>>>> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus
>>>>>>> X-1'
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
>>>>>> Princeton University | ICBM Address: 40.346344 -74.652242
>>>>>> 345 Lewis Library |"On my ship, the Rocinante, wheeling through
>>>>>> Princeton, NJ 08544 | the galaxies; headed for the heart of
>>>>>> Cygnus,
>>>>>> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
>>>>> Princeton University | ICBM Address: 40.346344 -74.652242
>>>>> 345 Lewis Library |"On my ship, the Rocinante, wheeling through
>>>>> Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
>>>>> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
>>>> Princeton University | ICBM Address: 40.346344 -74.652242
>>>> 345 Lewis Library |"On my ship, the Rocinante, wheeling through
>>>> Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
>>>> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
>>>
>>>
>>>
>>>
>>> --
>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
>>> Princeton University | ICBM Address: 40.346344 -74.652242
>>> 345 Lewis Library |"On my ship, the Rocinante, wheeling through
>>> Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
>>> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
>>
>>
>>
>>
>
--
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
Princeton University | ICBM Address: 40.346344 -74.652242
345 Lewis Library |"On my ship, the Rocinante, wheeling through
Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
More information about the Freeipa-users
mailing list