Martin Kosek wrote:
On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote:
We can't assume that there will be only one naming context. Look at each
one until we find an IPA one.

Add logging so you can know that a migration attempt fails and why.

rob

Looks good, its just difficult to set up a proper environment for
reproduction. So far, I found just this problem:

[Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi (pid=32705): 
Exception occurred processing WSGI script 
'/usr/share/ipa/migration/migration.py'.
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most recent 
call last):
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]   File 
"/usr/share/ipa/migration/migration.py", line 127, in application
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]     
bind(form_data['username'].value, form_data['password'].value)
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]   File 
"/usr/share/ipa/migration/migration.py", line 107, in bind
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]     
logging.error('migration bind failed: %s' % convert_exception(e))

Martin


Just missed saving the exception as a variable, should work now.

rob
>From bf75398c01539299817de6208a3b9854c9178a6e Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Mon, 26 Sep 2011 22:19:57 -0400
Subject: [PATCH] Migration: don't assume there is only one naming context,
 add logging.

We can't assume that there will be only one naming context. Look at each
one until we find an IPA one.

Add logging so you can know that a migration attempt fails and why.

https://fedorahosted.org/freeipa/ticket/1834
https://fedorahosted.org/freeipa/ticket/1835
---
 install/migration/invalid.html |    2 +-
 install/migration/migration.py |   56 ++++++++++++++++++++++++++++++++--------
 2 files changed, 46 insertions(+), 12 deletions(-)

diff --git a/install/migration/invalid.html b/install/migration/invalid.html
index a641d1a..91de79f 100644
--- a/install/migration/invalid.html
+++ b/install/migration/invalid.html
@@ -35,7 +35,7 @@
              <p>If the problem persists, contact your administrator.</p>
              </div>
            </div>
-           <form id="login" action="" name="">
+           <form id="login" action="migration.py" method="post" name="">
               <ul>
                 <li>
                   <label for="username">Username:</label>
diff --git a/install/migration/migration.py b/install/migration/migration.py
index ed6ade9..4ac891a 100644
--- a/install/migration/migration.py
+++ b/install/migration/migration.py
@@ -25,10 +25,24 @@ import errno
 import glob
 import ldap
 import wsgiref
+import logging
 
 BASE_DN = ''
 LDAP_URI = 'ldaps://localhost:636'
 
+def convert_exception(error):
+    """
+    Convert an LDAP exception into something more readable.
+    """
+    if not isinstance(error, ldap.TIMEOUT):
+        desc = error.args[0]['desc'].strip()
+        info = error.args[0].get('info', '').strip()
+    else:
+        desc = ''
+        info = ''
+
+    return '%s (%s)' % (desc, info)
+
 def wsgi_redirect(start_response, loc):
     start_response('302 Found', [('Location', loc)])
     return []
@@ -44,6 +58,8 @@ def get_base_dn():
     """
     Retrieve LDAP server base DN.
     """
+    global BASE_DN
+
     if BASE_DN:
         return BASE_DN
     try:
@@ -52,31 +68,50 @@ def get_base_dn():
         entries = conn.search_ext_s(
             '', scope=ldap.SCOPE_BASE, attrlist=['namingcontexts']
         )
-    except ldap.LDAPError:
-        return ''
-    conn.unbind_s()
-    try:
-        return entries[0][1]['namingcontexts'][0]
-    except (IndexError, KeyError):
+        contexts = entries[0][1]['namingcontexts']
+        for c in contexts:
+            try:
+                entry = conn.search_s(c, ldap.SCOPE_BASE, "(info=IPA*)")
+                if len(entry) == 0:
+                    continue
+                if entry[0][1]['info'][0].lower() != 'ipa v2.0':
+                    continue
+                BASE_DN = c
+                break
+            except ldap.LDAPError, e:
+                logging.error('migration context search failed: %s' % e)
+                conn.unbind_s()
+                return ''
+    except ldap.LDAPError, e:
+        logging.error('migration context search failed: %s' % e)
         return ''
+    finally:
+        conn.unbind_s()
+
+    return BASE_DN
 
 def bind(username, password):
     base_dn = get_base_dn()
     if not base_dn:
+        logging.error('migration unable to get base dn')
         raise IOError(errno.EIO, 'Cannot get Base DN')
     bind_dn = 'uid=%s,cn=users,cn=accounts,%s' % (username, base_dn)
     try:
         conn = ldap.initialize(LDAP_URI)
         conn.simple_bind_s(bind_dn, password)
     except (ldap.INVALID_CREDENTIALS, ldap.UNWILLING_TO_PERFORM,
-            ldap.NO_SUCH_OBJECT):
+            ldap.NO_SUCH_OBJECT), e:
+        logging.error('migration invalid credentials for %s: %s' % (bind_dn, convert_exception(e)))
         raise IOError(errno.EPERM, 'Invalid LDAP credentials for user %s' % username)
-    except ldap.LDAPError:
+    except ldap.LDAPError, e:
+        logging.error('migration bind failed: %s' % convert_exception(e))
         raise IOError(errno.EIO, 'Bind error')
-
-    conn.unbind_s()
+    finally:
+        conn.unbind_s()
 
 def application(environ, start_response):
+    global LDAP_URI
+
     if environ.get('REQUEST_METHOD', None) != 'POST':
         return wsgi_redirect(start_response, 'index.html')
 
@@ -98,4 +133,3 @@ def application(environ, start_response):
 
     ui_url = get_ui_url(environ)
     return wsgi_redirect(start_response, ui_url)
-
-- 
1.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to