On 02/01/2017 05:47 PM, Steve Huston wrote:
Would it be better to file this as a new bug, or reopen 4291?
Hi,we are already aware of the problem and working on a fix (please see https://bugzilla.redhat.com/show_bug.cgi?id=1398600 and https://fedorahosted.org/freeipa/ticket/6575).
HTH, Flo.
On Tue, Jan 31, 2017 at 5:00 PM, Steve Huston <[email protected]> wrote:Seems like this is to blame: https://fedorahosted.org/freeipa/ticket/4291 The checkin says, "Installation in pure IPv6 environment failed because pki-tomcat tried to use IPv4 loopback. Configuring tomcat to use IPv6 loopback instead of IPv4 fixes this issue." However it would seem that in a pure IPv4 environment, this is causing tomcat to fail to load. On Tue, Jan 31, 2017 at 4:36 PM, Steve Huston <[email protected]> wrote:What defines the contents of /var/lib/pki/pki-tomcat/conf/server.xml? <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="::1" /> Doesn't work so well on a host without IPv6 turned on... Jan 31 14:26:59 ipa server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jan 31 14:27:00 ipa server: SEVERE: Failed to initialize end point associated with ProtocolHandler ["ajp-bio-0:0:0:0:0:0:0:1-8009"] Jan 31 14:27:00 ipa server: java.net.SocketException: Protocol family unavailable On Fri, Jan 27, 2017 at 4:23 PM, Steve Huston <[email protected]> wrote:Stranger, I did an install on a different VM with the CentOS 7 minimal ISO, then installed ipa-server and enough things to get X11 and Firefox, ran ipa-server-install and it worked fine. I tested with Firefox (and Safari) against my failing installation and it still fails. So there's something else different that's causing it to break. Will continue investigating, but if someone knows why the UI would break this way it would be helpful to know where to look! On Thu, Jan 26, 2017 at 11:53 AM, Steve Huston <[email protected]> wrote:Just did it again with the same result. Reinstalled the machine, then did a 'yum install ipa-server python2-ipaserver httpd' which pulled in version 4.4.0-14.el7_3.4 and a bunch of other packages. Next was the ipa-server-install as I used before, only without --mkhomedir this time. After entering the passwords for directory administrator and the admin user, I then logged in to the web interface, immediately clicked "add" and added a user 'foobar'. When I clicked "add and edit" and was brought to the user information page, it looks like this at the bottom: https://www.dropbox.com/s/e67j8rdaq9wvkni/Screenshot%202017-01-26%2011.33.03.png?dl=0 I then entered an employee number of '0001' just to give something to save, and clicked save. The screen now shows this (I've clicked the drop-down on the manager field so the choices are visible): https://www.dropbox.com/s/oxmqwf2rsz15grd/Screenshot%202017-01-26%2011.33.58.png?dl=0 Holding shift and clicking reload, the page now looks like this (the employee number field is also blank again): https://www.dropbox.com/s/f8ptycnetvsxjnb/Screenshot%202017-01-26%2011.35.03.png?dl=0 Since we do run a repackaged distribution here (Springdale Linux), I just unpacked ipa-server-common from our repository with the above version, and http://mirror.centos.org/centos/7/updates/x86_64/Packages/ipa-server-common-4.4.0-14.el7.centos.4.noarch.rpm, and 'diff' found zero differences between them. Unlikely, but I wanted to rule out a packaging error causing the problem. On Wed, Jan 25, 2017 at 4:12 PM, Steve Huston <[email protected]> wrote:No, that should be all of the major changes; the puppet module that installs things only puts the two plugin files in their respective places. The client part of the IPA module makes changes to have the machine join the domain and whatnot, but those shouldn't affect the webui. I do modify the schema by adding some attribute types for Puppet, namely puppetClass, parentNode, environment, puppetVar, and the object class puppetClient. That's basically right from one of the Puppet webpages and also worked in the past - and is one of the things the python plugin does, add the appropriate objectclass to host entries if puppetVar is added to a host entry. My steps to install: * ipa-server-install --realm=<realm> --domain=<domain> --mkhomedir --hostname=<hostname> --no-host-dns * ldapmodify -ZZ -h localhost -x -D 'cn=Directory Manager' -W < paste puppet schema changes> < paste DN entry for uid=hostadder,cn=sysaccounts,cn=etc... - a service account used by puppet for adding hosts to IPA > * login to web UI * * Change home directory base, default shell, default SELinux user * * Add SELinux user map for staff/sysadmin users * * Add "user adder" permission/privilege/role for users who will be able to create stageusers That's about as far as I got before I realized some of the plugin pieces weren't working, and then fixed the python plugin followed by working on the UI plugin and finding this problem. I'll go wipe and reinstall the system again and walk through the steps, but test the UI first and in between to see if I can find which of the steps might be causing things to hiccup. On Wed, Jan 25, 2017 at 1:42 PM, Pavel Vomacka <[email protected]> wrote:Hello Steve, I tried to reproduce what you described on the very same version of ipa-server and I was not successful. Actually I was not used your back-end plugin. I tried it with no plugin and then with your UI plugin and both worked correctly. Did you do any other changes somewhere in your installation? I will try it again also with your Python plugin and we'll see. On 01/24/2017 08:59 PM, Steve Huston wrote:And now I'm convinced this has nothing to do with my plugin and instead is a bug somewhere in FreeIPA. I removed the entirety of the "astrocustom" plugin that I wrote, restarted httpd, and force reloaded the page in chrome. I clicked to add a new user, gave the basic information, and clicked "add and edit". The bottom of the page shows the "Employee information" on the left side bottom, and the manager drop-down is empty. I entered '1' in the "employee type" field and clicked save, and now "Employee Information" is on the right side directly under "Contact settings", and the manager drop-down is populated with the list of UIDs on the system. When the UI is in the failed state, the "email address" field is also blank, but when things switch to how they should be (after submitting a change) it is populated with the email address in the record. I just tested by adding a telephone number to the record, and that also made the contact information and employee information facets refresh with the proper data. Pressing shift-reload again makes all the information disappear (including the telephone number I just entered). This is with ipa-server-4.4.0-14.el7_3.4 On Mon, Jan 23, 2017 at 1:55 PM, Steve Huston <[email protected]> wrote:Just tested again, and this is still baffling: * Create a stage user with the right data, works fine, can be edited. * Enable that user, and now the two fields ('manager' and 'employeeType') appear to have bogus data in the UI, and I cannot save the page without changing them to something else. * Once that user is saved, the "Employee Information" facet moves to the right side of the page, and now shows not only the current data in the manager drop down but also the other choices (uids). Change the value of manager and employeetype back to what they were previously and it saves. * An ldapsearch run when the user is first created (as the directory manager), and after having two edits (one to change the values to something else to let the webui save them, and one to change them back to what they should be and were the first time) produce completely identical results. * The output of "ipa user-show <uid> --all --raw" is also identical at those same steps. So something, somewhere, is being saved in a way that prevents the webui from displaying them properly, that gets fixed when those values are manually changed via the webui. On Thu, Jan 19, 2017 at 2:44 PM, Steve Huston <[email protected]> wrote:Even more interesting... I tried to modify one of the records that was not displaying properly in the "active users" group, and sure enough the webui complained that the "Requested By" (relabeled "manager") field was not filled in since it was blank. It also, however, complained that the "User tier" (relabeled "employeetype") was incorrect, even though it showed the label associated with the value 1. I clicked the search drop-down for manager, typed in my own uid, and even though everything had been blank in the drop down before now my uid showed up. I clicked on it, and my uid was now in the manager field. I then clicked the drop down for employeetype, and chose one of the other options. I was now able to save the changes to the record. Upon reloading the page, the "Employee Information" facet now shoed up on the right side bottom, instead of the left side bottom where it was appearing. I was also now able to change the drop-down fields for manager and employeetype to another value, and save them, and they worked fine even filling in all the data that should have been there. This almost seemed like the data being returned by the server was flawed somehow, and confusing the webui, but once it was forced to have the right data and re-saved it worked fine subsequently. I looked at the output of "ipa user-show <uid> --all --raw" both before and after making such changes on a user, and can detect no difference between them. On Thu, Jan 19, 2017 at 1:14 PM, Alexander Bokovoy <[email protected]> wrote:On to, 19 tammi 2017, Steve Huston wrote:On Thu, Jan 19, 2017 at 11:16 AM, Alexander Bokovoy <[email protected]> wrote:In short, FreeIPA 4.2 -> 4.4 change was by splitting server and client side plugins into different paths (ipaserver/plugins and ipaclient/plugins instead of being common in ipalib/plugins). The client code was also changed to always read metadata about API from the server side. This means the client can adopt to any server version that supports API metadata.Right, and I think that the most of the plugin I had belongs server-side; in fact, that's where I migrated it to, and things work fine. I haven't tested if I can change those values with the cli, but I'm less concerned about that at the moment.In my sample external plugin you referenced above you can see that I have client-side change that replaces an input string by a file reference so that a file can supplied instead of typing the content of the file on the command line. This is one of most used patterns for client side plugins.In this case, my biggest problem is with the web UI. The 'manager' drop down (which I have renamed through the UI plugins to "Requested By" to show what user requested and is responsible for this account) works fine in the 'add/modify stageuser' context, but not at all in the adduser/moduser context, and I can't seem to find out why.I'll defer answer for this to our web UI wizards but they would need to see your code to help, I'd guess. -- / Alexander Bokovoy-- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'-- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'-- Pavel^3 Vomacka-- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'-- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'-- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'-- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'-- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
