It works !!! I installed my server with --selfsign and i added in_tree=False
in my api.bootstrap() method and it runs very well. Thank you guys ^^

--
Meilleures salutations / Best Regards

Rachid ALAHYANE



2010/4/23 Rob Crittenden <rcrit...@redhat.com>

> Lots of embedded comments...
>
> ALAHYANE Rachid wrote:
>
>> Hi,
>>
>>
>>    How about:
>>
>>    api.bootstrap(context='webservices', debug=True,
>>    xmlrpc_uri='https://luna.greyoak.com/ipa/xml')
>>
>>
>>  when I do this, I get these messages
>>
>> ---------------------------------------------------------------------
>> In [1]: from ipalib import api
>>
>> In [2]: api.bootstrap(context='webservices', debug=True, xmlrpc_uri='
>> https://server.domain.org/ipa/xml')
>>
>> In [3]: api.env.xmlrpc_uri Out[3]: u'https://server.domain.org/ipa/xml'
>>
>> In [4]: api.env.realm Out[4]: u'EXAMPLE.COM <http://EXAMPLE.COM>'
>>
>>
>> In [5]: api.finalize()
>> ipa: DEBUG: importing all plugin modules in
>> '/usr/lib/python2.6/site-packages/ipalib/plugins'...
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
>> ipa: INFO: skipping plugin module ipalib.plugins.cert: env.enable_ra is
>> not True
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbac.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/rolegroup.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/taskgroup.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
>>
>> In [6]: api.Backend.xmlclient.connect()
>> ipa: INFO: Created connection context.xmlclient
>>
>> In [7]: api.Command.user_show(u'admin')
>> ipa: DEBUG: raw: user_show(u'admin')
>> ipa: INFO: user_show(u'admin', all=False, raw=False)
>> ipa: INFO: Forwarding 'user_show' to server u'
>> https://server.domain.org/ipa/xml'
>> ipa: DEBUG: Caught fault 3008 from server
>> https://server.domain.org/ipa/xml: invalid 'uid': Only one value is
>> allowed
>>
>> ---------------------------------------------------------------------------
>> ConversionError                           Traceback (most recent call
>> last)
>>
>> /root/<ipython console> in <module>()
>>
>> /usr/lib/python2.6/site-packages/ipalib/frontend.pyc in __call__(self,
>> *args, **options)
>>    399         self.validate(**params)
>>    400         (args, options) = self.params_2_args_options(**params)
>> --> 401         ret = self.run(*args, **options)
>>    402         if (
>>    403             isinstance(ret, dict)
>>
>> /usr/lib/python2.6/site-packages/ipalib/frontend.pyc in run(self, *args,
>> **options)
>>    668         if self.api.env.in_server:
>>    669             return self.execute(*args, **options)
>> --> 670         return self.forward(*args, **options)
>>    671     672     def execute(self, *args, **kw):
>>
>> /usr/lib/python2.6/site-packages/ipalib/frontend.pyc in forward(self,
>> *args, **kw)
>>    689         Forward call over XML-RPC to this same command on server.
>>    690         """
>> --> 691         return self.Backend.xmlclient.forward(self.name <
>> http://self.name>, *args, **kw)
>>
>>    692     693     def finalize(self):
>>
>> /usr/lib/python2.6/site-packages/ipalib/rpc.pyc in forward(self, name,
>> *args, **kw)
>>    412             if e.faultCode in self.__errors:
>>    413                 error = self.__errors[e.faultCode]
>> --> 414                 raise error(message=e.faultString)
>>    415             raise UnknownError(
>>    416                 code=e.faultCode,
>>
>> ConversionError: invalid 'uid': Only one value is allowed
>> ---------------------------------------------------------------------
>>
>> For api.env.realm, u'DOMAIN.ORG <http://DOMAIN.ORG>' is expected value.
>> it seems that api.env was not initialized correctly.
>>
>
> I suspect is isn't reading the configuration file. Try adding
> 'in_tree=False' to your bootstrap call. This should force it to read
> /etc/ipa/default.conf (which I assume you have configured).
>
>
>>    Is there anything interesting logged on the server?
>>
>>    With debug=True you get a lot more output, might show something as
>> well.
>>
>>
>> You are right, here the logs on the ipa server
>>
>> ---------------------------------------------------------------------
>> ==> /var/log/httpd/error_log <==
>> ipa: INFO: Created connection context.ldap2
>> ipa: DEBUG: raw: user_show((u'admin',), all=False, raw=False)
>> ipa: INFO: Destroyed connection context.ldap2
>>
>> ==> /var/log/httpd/access_log <==
>> 172.30.0.137 - r...@domain.org <mailto:r...@domain.org>
>> [23/Apr/2010:18:06:16 +0200] "POST /ipa/xml HTTP/1.0" 200 315
>>
>>
>> ==> /var/log/httpd/error_log <==
>> ipa: INFO: Created connection context.ldap2
>> ipa: DEBUG: raw: user_show((u'admin',), all=False, raw=False)
>> ipa: INFO: Destroyed connection context.ldap2
>>
>> ==> /var/log/httpd/access_log <==
>> 172.30.0.137 - r...@domain.org <mailto:r...@domain.org>
>> [23/Apr/2010:18:11:53 +0200] "POST /ipa/xml HTTP/1.0" 200 315
>>
>>
>> ---------------------------------------------------------------------
>>
>> I think, I have this problem because I use two different versions of
>> freeipa. In the one hand, I have an old version (1.9.0GIT28d8bd6-0.fc12.i686
>> that I generated  there was a time) of freeipa on the ipa server, on the
>> other hand I have the last version of freeIPA on the client. So, I generated
>> new rpms from the last version of git repository and I installed them on the
>> client and server.
>>
>
> Yes, I think you're right here. The multiple value error is because admin
> is being converted into a tuple at some point. Looks ok in the client log
> though we'd have to enable more XML-RPC debugging to see what it is sent as
> on the wire. We did some recent API changes so I'm going to guess this is
> what the problem is, updating (or using the same version of IPA on both
> sides) is the right way to go.
>
>
>> But when I start ipa-server-install on the server, I get an error (hem I
>> think that I must to post a new mail on the mailing list)
>>
>> ----------------------------------------------------------------------
>> ....
>> ....
>> The following operations may take some minutes to complete.
>> Please wait until the prompt is returned.
>>
>> Configuring directory server for the CA:
>>  [1/4]: creating directory server user
>>  [2/4]: creating directory server instance
>>  [3/4]: configuring directory to start on boot
>>  [4/4]: restarting directory server
>> done configuring pkids.
>> Configuring certificate server:
>>  [1/14]: creating certificate server user
>>  [2/14]: configuring certificate server instance
>> root        : CRITICAL failed to restart ca instance Command
>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
>> server.domain.org <http://server.domain.org> -cs_port 9445
>> -client_certdb_dir /tmp/tmp-Li3Uhg -client_certdb_pwd XXXXXXXX -preop_pin
>> cYUmg5JpkmRm3xBAlTqg -domain_name IPA -admin_user admin -admin_email
>> r...@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent
>> -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
>> "CN=ipa-ca-agent,O=IPA" -ldap_host server.domain.org <
>> http://server.domain.org> -ldap_port 7389 -bind_dn "cn=Directory Manager"
>> -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048
>> -key_type rsa -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad
>> -token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA"
>> -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA"
>> -ca_server_cert_subject_name "CN=server.domain.org <
>> http://server.domain.org>,O=IPA" -ca_audit_signing_cert_subject_name
>> "CN=CA Audit,O=IPA" -ca_sign_cert_subject_name "CN=Certificate
>> Authority,O=IPA" -external false -clone false' returned non-zero exit status
>> 255
>>
>>  [3/14]: creating CA agent PKCS#12 file in /root
>> Unexpected error - see ipaserver-install.log for details:
>>  Command '/usr/bin/pk12util -n ipa-ca-agent -o /root/ca-agent.p12 -d
>> /tmp/tmp-Li3Uhg -k /tmp/tmphMeDU3 -w /tmp/tmphMeDU3' returned non-zero exit
>> status 24
>>
>
> Yeah, mismatch in dogtag. You have two choices:
>
> 1. If you don't care about the CA at this point you can install the IPA
> server with --selfsign which will install a simpler, self-signed CA that
> uses the NSS command-line utilities for certificates. Not really the best
> choice for a production installation but adequate for testing.
>
> 2. Enable the updates-testing repo and update dogtag. I think that this
> should do it: yum --enablerepo=updates-testing update pki-* dogtag-*
>
> The problem is dogtag has pretty weak dependencies right now and at least
> one package is still lingering in updates-testing (pki-common).
>
> rob
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to