Re: [Freeipa-devel] DN patch and documentation
All the issues Martin discovered (except for the ip-address parameter) are now fixed and pushed to the dn repo. Also now the dn repo is fully rebased against master (except for one commit for ticket 2954 which I had to revert, see ticket for details). Thank you for the continued testing. FYI: to use the dn repo: git clone git://fedorapeople.org/~jdennis/freeipa.dn.git git checkout dn -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Patch to allow IPA to work with dogtag 10 on f18
Hi, Dogtag 10 is being released on f18, and has a number of changes that will affect IPA. In particular, the following changes will affect current IPA code. * The directory layout of the dogtag instance has changed. Instead of using separate tomcat instances to host different subsystems, the standard dogtag installation will allow one to install a CA. KRA, OCSP and TKS within the same instance. There have been corresponding changes in the directory layout, as well as the default instance name (pki-tomcat instead of pki-ca), and startup daemon (pki-tomcatd, instead of pki-cad, pki-krad etc.) * The default instance will use only four ports (HTTPS, HTTP, AJP and tomcat shutdown port) rather than the 6 previously used. The default ports will be changed to the standard tomcat ports. As these ports are local to the ipa server machine, this should not cause too much disruption. * There is a new single step installer written in python. (pkispawn/destroy) vs. pkicreate/pkisilent/pkiremove. * Dogtag 10 runs on tomcat7 - with a new corresponding version of tomcatjss. The attached patch integrates all the above changes in IPA installation and maintenance code. Once the patch is applied, users will be able to: 1. run ipa-server-install to completion on f18 with dogtag 10. 2. install a new replica on f18 on dogtag 10. 3. upgrade an f17 machine with an existing IPA instance to f18/ dogtag 10 - and have that old-style dogtag instance continue to run correctly. This will require the installation of the latest version of tomcatjss as well as the installation of tomcat6. The old-style instance will continue to use tomcat6. 4. in addition, the new cert renewal code has been patched and should continue to work. What is not yet completed / supported: 1. Installation with an external CA is not yet completed in the new installer. We plan to complete this soon. 2. There is some IPA upgrade code that has not yet been touched (install/tools/ipa-upgradeconfig). 3. A script needs to be written to allow admins to convert their old-style dogtag instances to new style instances, as well as code to periodically prompt admins to do this. 4. Installation of old-style instances using pkicreate/pkisilent on dogtag 10 will no longer be supported, and will be disabled soon. 5. The pki-selinux policy has been updated to reflect these changes, but is still in flux. In fact, it is our intention to place the dogtag selinux policy in the base selinux policy for f18. In the meantime, it may be necessary to run installs in permissive mode. The dogtag 10 code will be released shortly into f18. Prior to that though, we have placed the new dogtag 10 and tomcatjss code in a developer repo that is located at http://nkinder.fedorapeople.org/dogtag-devel/ Testing can be done on both f18 and f17 - although the target platform - and the only platform for which official builds will be created is f18. Thanks, Ade >From c1677bf96235fb5f71dff899642d459f2fc2e9fc Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Sun, 29 Jul 2012 14:07:31 -0400 Subject: [PATCH] Modifications to install scripts for dogtag 10 Dogtag 10 uses a new installer, new directory layout and new default ports. This patch changes the ipa install code to integrate these changes. --- install/conf/ipa-pki-proxy.conf| 16 +- install/conf/ipa.conf |4 +- install/restart_scripts/renew_ca_cert | 18 +- install/restart_scripts/restart_pkicad | 18 +- install/tools/ipa-ca-install | 10 + install/tools/ipa-csreplica-manage |2 +- install/tools/ipa-replica-install |1 + install/tools/ipa-replica-prepare |2 +- install/tools/ipa-server-install |1 + install/ui/test/data/ipa_init.json |6 +- ipa-client/man/default.conf.5 |6 +- ipalib/constants.py|6 +- ipapython/certmonger.py|2 +- ipapython/platform/base.py |5 +- ipapython/platform/fedora16.py |7 +- ipapython/platform/systemd.py |4 +- ipaserver/install/cainstance.py| 330 +--- ipaserver/install/installutils.py |2 +- ipaserver/install/service.py | 13 +- selinux/ipa_dogtag/ipa_dogtag.fc |2 +- 20 files changed, 219 insertions(+), 236 deletions(-) diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 91a99aaf9cd9ce3669fbe12450bfae1b220fa67b..7dac76060f3fb7266b99e28cca4070bd1b9d5757 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -6,22 +6,22 @@ ProxyRequests Off NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none -ProxyPassMatch ajp://localhost:9447/ -ProxyPassReverse ajp://localhost:9447/ +ProxyPassMatch ajp://localhost:8009 +ProxyPassReverse ajp://localhost:8009 -# matches for admin port - +# matches for admin port and installer +
Re: [Freeipa-devel] DN patch and documentation
On 08/08/2012 09:37 AM, Martin Kosek wrote:
I started reviewing the latest state of your DN effort in your git repo. It is
in much better shape than before, but I still found some issues in utilities we
use. I am sending what I have found so far.
Thanks!
1) ipa-managed-entries is broken
# ipa-managed-entries -l
Available Managed Entry Definitions:
[u'UPG Definition']
[u'NGP Definition']
# ipa-managed-entries -e 'UPG Definition' status
Unexpected error
AttributeError: 'LDAPEntry' object has no attribute 'originfilter'
O.K. will investigate
2) ipa-replica-prepare is broken when --ip-address is passed
# ipa-replica-prepare vm-055.idm.lab.bos.redhat.com --ip-address=10.16.78.55
Directory Manager (existing master) password:
Preparing replica for vm-055.idm.lab.bos.redhat.com from
vm-086.idm.lab.bos.redhat.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into
/var/lib/ipa/replica-info-vm-055.idm.lab.bos.redhat.com.gpg
Adding DNS records for vm-055.idm.lab.bos.redhat.com
preparation of replica failed: invalid 'ip_address': Gettext('invalid IP
address format', domain='ipa', localedir=None)
invalid 'ip_address': Gettext('invalid IP address format', domain='ipa',
localedir=None)
File "/sbin/ipa-replica-prepare", line 464, in
main()
File "/sbin/ipa-replica-prepare", line 452, in main
add_zone(domain)
File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py",
line 302, in add_zone
idnsallowtransfer=u'none',)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 433, in
__call__
self.validate(**params)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 705, in
validate
param.validate(value, self.env.context, supplied=param.name in kw)
File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 879, in
validate
self._validate_scalar(value)
File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 900, in
_validate_scalar
rule=rule,
Yes, I saw the same thing, but I don't think it's has anything to do
with dn's. I even asked about this on IRC yesterday. Are you sure this
isn't broken on master as well? When I looked at the code it just looked
wrong and I didn't touch anything in this area. Can someone do a quick
check on master and see if the problem exists there too?
3) ipa-replica-manage list is broken:
# ipa-replica-manage list
Failed to get data from 'vm-086.idm.lab.bos.redhat.com':
base="cn=replicas,cn=ipa,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com",
scope=1, filterstr="(objectClass=*)"
I think the problem here is that the following code in ipa-replica-manage
returns an exception when no entry in cn=replicas is found (which is ok):
dn = DN(('cn', 'replicas'), ('cn', 'ipa'), ('cn', 'etc'),
ipautil.realm_to_suffix(realm))
entries = conn.getList(dn, ldap.SCOPE_ONELEVEL)
O.K. thanks, will investigate, seems like a simple fix.
4) IPA compliance is broken
# ipa-compliance
IPA compliance checking failed:
This is the traceback (some DN was left in string format):
Traceback (most recent call last):
File "/sbin/ipa-compliance", line 198, in
main()
File "/sbin/ipa-compliance", line 179, in main
check_compliance(tmpdir, options.debug)
File "/sbin/ipa-compliance", line 121, in check_compliance
size_limit = -1)
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line
1087, in find_entries
assert isinstance(base_dn, DN)
AssertionError
O.K. will investigate, seems like a simple fix.
Btw. Petr Vobornik is testing Web UI, so far so good
Great.
--
John Dennis
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] DN patch and documentation
On 07/27/2012 02:24 PM, Petr Viktorin wrote: > On 07/26/2012 11:48 PM, John Dennis wrote: >> I have applied the suggested fixes, rebased against master, run all the >> unit tests successfully, built RPM's, did a full install without errors, >> and brought up the web UI successfully. >> >> The current code can be found here: >> >> git clone git://fedorapeople.org/~jdennis/freeipa.dn.git >> git checkout dn >> >> I did not squash the individual commits (but they should be before we >> apply to master). > > Thank you! > >> Please test (again). >> >> I continue to believe the greatest lurking liability is the installer >> code and the individual command line utilities (e.g. replica-manage, >> etc.) Aside from the server install I have not exercised those components. > > Please test them, most of them just don't work. They're practically the only > ones that use the old Entity & Entry, so related bugs won't show up unless you > run the utilities. > > > > > ipa-ldap-updater still fails: > > 2012-07-27T10:21:05Z DEBUG Traceback (most recent call last): > File > "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", > line 112, in __upgrade > self.modified = ld.update(self.files) > File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line > 879, in update > updates = api.Backend.updateclient.update(POST_UPDATE, self.dm_password, > self.ldapi, self.live_run) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", > line 134, in update > if dn not in rdn_count_list[rdn_count]: > IndexError: list index out of range > > The offending code is: > rdn_count = len(DN(dn)) > rdn_count_list = dn_by_rdn_count.setdefault(rdn_count, []) > if dn not in rdn_count_list[rdn_count]: > rdn_count_list[rdn_count].append(dn) > > rdn_count_list is dn_by_rdn_count[rdn_count]; indexing with rdn_count again is > an error. > > I find the variable names are a bit confusing here. > > > > > ipa-replica-prepare is also unusable: > > $ sudo ipa-replica-prepare vm-125.$DOMAIN --ip-address $IP > Directory Manager (existing master) password: > > Preparing replica for vm-125.idm.lab.bos.redhat.com from > vm-134.idm.lab.bos.redhat.com > preparation of replica failed: '__getitem__' > '__getitem__' > File "/sbin/ipa-replica-prepare", line 461, in > main() > > File "/sbin/ipa-replica-prepare", line 309, in main > dirman_password) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 99, in enable_replication_version_checking > conn.modify_s(entry[0].dn, [(ldap.MOD_REPLACE, 'nsslapd-pluginenabled', > 'on')]) > > File "/usr/lib/python2.7/site-packages/ipaserver/ipaldap.py", line 143, in > __getattr__ > return self.__dict__[name] > > i.e. entry[0] tries to call entry.__getitem__. > > I haven't tested any replica-related tools since I couldn't prepare a replica. > > > > > ipa-compliance still has the same error as before > > > > > ipa-managed-entries still fails: > File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > line 607, in run_script > return_value = main_function() > > File "install/tools/ipa-managed-entries", line 133, in main > managed_entries = [entry.cn for entry in entries] > > You need entry.data['cn'] instead. > > > > > I also get several errors in the DNS plugin test suite: > > Traceback (most recent call last): > File "/home/pviktori/freeipa/ipaserver/rpcserver.py", line 332, in > wsgi_execute > result = self.Command[name](*args, **options) > File "/home/pviktori/freeipa/ipalib/frontend.py", line 435, in __call__ > ret = self.run(*args, **options) > File "/home/pviktori/freeipa/ipalib/frontend.py", line 747, in run > return self.execute(*args, **options) > File "/home/pviktori/freeipa/ipalib/plugins/dns.py", line 2458, in execute > result = super(dnsrecord_mod, self).execute(*keys, **options) > File "/home/pviktori/freeipa/ipalib/plugins/baseldap.py", line 1351, in > execute > assert isinstance(dn, DN) > AssertionError > > ipa: INFO: ad...@idm.lab.bos.redhat.com: dnsrecord_mod(u'dnszone.test', > u'testcnamerec', arecord=(u'10.0.0.1',), cnamerecord=None, rights=False, > structured=False, all=False, raw=False, version=u'2.41'): AssertionError > > This is a good catch; the dnsrecord_mod post_callback should return the DN, > not > None. > I started reviewing the latest state of your DN effort in your git repo. It is in much better shape than before, but I still found some issues in utilities we use. I am sending what I have found so far. 1) ipa-managed-entries is broken # ipa-managed-entries -l Available Managed Entry Definitions: [u'UPG Definition'] [u'NGP Definition'] # ipa-managed-entries -e 'UPG Definition' status Unexpected error AttributeError: 'LDAPEntry' object has no attribute 'originfilter' 2) ipa-replica-prepare is broken when --ip-address is passed # ipa-repl
