Lots of embedded comments...

ALAHYANE Rachid wrote:
Hi,


    How about:

    api.bootstrap(context='webservices', debug=True,
    xmlrpc_uri='https://luna.greyoak.com/ipa/xml')


 when I do this, I get these messages

---------------------------------------------------------------------
In [1]: from ipalib import api

In [2]: api.bootstrap(context='webservices', debug=True, xmlrpc_uri='https://server.domain.org/ipa/xml')

In [3]: api.env.xmlrpc_uri Out[3]: u'https://server.domain.org/ipa/xml'

In [4]: api.env.realm Out[4]: u'EXAMPLE.COM <http://EXAMPLE.COM>'

In [5]: api.finalize()
ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' ipa: INFO: skipping plugin module ipalib.plugins.cert: env.enable_ra is not True ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbac.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/rolegroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/taskgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'

In [6]: api.Backend.xmlclient.connect()
ipa: INFO: Created connection context.xmlclient

In [7]: api.Command.user_show(u'admin')
ipa: DEBUG: raw: user_show(u'admin')
ipa: INFO: user_show(u'admin', all=False, raw=False)
ipa: INFO: Forwarding 'user_show' to server u'https://server.domain.org/ipa/xml' ipa: DEBUG: Caught fault 3008 from server https://server.domain.org/ipa/xml: invalid 'uid': Only one value is allowed
---------------------------------------------------------------------------
ConversionError                           Traceback (most recent call last)

/root/<ipython console> in <module>()

/usr/lib/python2.6/site-packages/ipalib/frontend.pyc in __call__(self, *args, **options)
    399         self.validate(**params)
    400         (args, options) = self.params_2_args_options(**params)
--> 401         ret = self.run(*args, **options)
    402         if (
    403             isinstance(ret, dict)

/usr/lib/python2.6/site-packages/ipalib/frontend.pyc in run(self, *args, **options)
    668         if self.api.env.in_server:
    669             return self.execute(*args, **options)
--> 670         return self.forward(*args, **options)
671 672 def execute(self, *args, **kw):

/usr/lib/python2.6/site-packages/ipalib/frontend.pyc in forward(self, *args, **kw)
    689         Forward call over XML-RPC to this same command on server.
    690         """
--> 691 return self.Backend.xmlclient.forward(self.name <http://self.name>, *args, **kw) 692 693 def finalize(self):

/usr/lib/python2.6/site-packages/ipalib/rpc.pyc in forward(self, name, *args, **kw)
    412             if e.faultCode in self.__errors:
    413                 error = self.__errors[e.faultCode]
--> 414                 raise error(message=e.faultString)
    415             raise UnknownError(
    416                 code=e.faultCode,

ConversionError: invalid 'uid': Only one value is allowed
---------------------------------------------------------------------

For api.env.realm, u'DOMAIN.ORG <http://DOMAIN.ORG>' is expected value. it seems that api.env was not initialized correctly.

I suspect is isn't reading the configuration file. Try adding 'in_tree=False' to your bootstrap call. This should force it to read /etc/ipa/default.conf (which I assume you have configured).


    Is there anything interesting logged on the server?

    With debug=True you get a lot more output, might show something as well.


You are right, here the logs on the ipa server

---------------------------------------------------------------------
==> /var/log/httpd/error_log <==
ipa: INFO: Created connection context.ldap2
ipa: DEBUG: raw: user_show((u'admin',), all=False, raw=False)
ipa: INFO: Destroyed connection context.ldap2

==> /var/log/httpd/access_log <==
172.30.0.137 - r...@domain.org <mailto:r...@domain.org> [23/Apr/2010:18:06:16 +0200] "POST /ipa/xml HTTP/1.0" 200 315

==> /var/log/httpd/error_log <==
ipa: INFO: Created connection context.ldap2
ipa: DEBUG: raw: user_show((u'admin',), all=False, raw=False)
ipa: INFO: Destroyed connection context.ldap2

==> /var/log/httpd/access_log <==
172.30.0.137 - r...@domain.org <mailto:r...@domain.org> [23/Apr/2010:18:11:53 +0200] "POST /ipa/xml HTTP/1.0" 200 315

---------------------------------------------------------------------

I think, I have this problem because I use two different versions of freeipa. In the one hand, I have an old version (1.9.0GIT28d8bd6-0.fc12.i686 that I generated there was a time) of freeipa on the ipa server, on the other hand I have the last version of freeIPA on the client. So, I generated new rpms from the last version of git repository and I installed them on the client and server.

Yes, I think you're right here. The multiple value error is because admin is being converted into a tuple at some point. Looks ok in the client log though we'd have to enable more XML-RPC debugging to see what it is sent as on the wire. We did some recent API changes so I'm going to guess this is what the problem is, updating (or using the same version of IPA on both sides) is the right way to go.


But when I start ipa-server-install on the server, I get an error (hem I think that I must to post a new mail on the mailing list)

----------------------------------------------------------------------
....
....
The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring directory server for the CA:
  [1/4]: creating directory server user
  [2/4]: creating directory server instance
  [3/4]: configuring directory to start on boot
  [4/4]: restarting directory server
done configuring pkids.
Configuring certificate server:
  [1/14]: creating certificate server user
  [2/14]: configuring certificate server instance
root : CRITICAL failed to restart ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname server.domain.org <http://server.domain.org> -cs_port 9445 -client_certdb_dir /tmp/tmp-Li3Uhg -client_certdb_pwd XXXXXXXX -preop_pin cYUmg5JpkmRm3xBAlTqg -domain_name IPA -admin_user admin -admin_email r...@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "CN=ipa-ca-agent,O=IPA" -ldap_host server.domain.org <http://server.domain.org> -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA" -ca_server_cert_subject_name "CN=server.domain.org <http://server.domain.org>,O=IPA" -ca_audit_signing_cert_subject_name "CN=CA Audit,O=IPA" -ca_sign_cert_subject_name "CN=Certificate Authority,O=IPA" -external false -clone false' returned non-zero exit status 255
  [3/14]: creating CA agent PKCS#12 file in /root
Unexpected error - see ipaserver-install.log for details:
Command '/usr/bin/pk12util -n ipa-ca-agent -o /root/ca-agent.p12 -d /tmp/tmp-Li3Uhg -k /tmp/tmphMeDU3 -w /tmp/tmphMeDU3' returned non-zero exit status 24

Yeah, mismatch in dogtag. You have two choices:

1. If you don't care about the CA at this point you can install the IPA server with --selfsign which will install a simpler, self-signed CA that uses the NSS command-line utilities for certificates. Not really the best choice for a production installation but adequate for testing.

2. Enable the updates-testing repo and update dogtag. I think that this should do it: yum --enablerepo=updates-testing update pki-* dogtag-*

The problem is dogtag has pretty weak dependencies right now and at least one package is still lingering in updates-testing (pki-common).

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to