Re: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install
On Fri, 2011-07-29 at 13:09 +0300, Alexander Bokovoy wrote: Hi, another attempt to refine error/configuration reporting when configuring means to access LDAP on a client. Previous one tried to use rpm to find out package name but this approach is avoiding package names. Instead, it tries to tell configuration file. Ticker https://fedorahosted.org/freeipa/ticket/1369 NACK. 1) Return info from LDAP config functions gets overwritten: if not options.sssd: (retcode, conf, filename) = configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) if retcode: return 1 (retcode, conf, filename) = configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) if retcode: return 1 Only one function will do the real configuration, in my case it was the configure_ldap_conf (nslcd was not installed). Due to the overwrite, my ipa-client-install reported invalid information: # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --no-sssd ... LDAP enabled Kerberos 5 enabled NSLCD configured using configuration file /etc/nslcd.conf Unable to use DNS discovery! Recognized configuration: NSLCD Changing configuration of /etc/ldap.conf to use hardcoded server name: vm-059.idm.lab.bos.redhat.com NTP enabled Client configuration complete. We need to indicate in the return triple that the service was not configured so that we output correct information. 2) Returning tuple instead of triple (will raise exception when used): -return 1 +return (1, 'nslcd') Plus, NSLCD is referred in upper case in other return statements. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install
On 29.07.2011 14:13, Martin Kosek wrote: On Fri, 2011-07-29 at 13:09 +0300, Alexander Bokovoy wrote: Hi, another attempt to refine error/configuration reporting when configuring means to access LDAP on a client. Previous one tried to use rpm to find out package name but this approach is avoiding package names. Instead, it tries to tell configuration file. Ticker https://fedorahosted.org/freeipa/ticket/1369 NACK. 1) Return info from LDAP config functions gets overwritten: if not options.sssd: (retcode, conf, filename) = configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) if retcode: return 1 (retcode, conf, filename) = configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) if retcode: return 1 Only one function will do the real configuration, in my case it was the configure_ldap_conf (nslcd was not installed). Due to the overwrite, my ipa-client-install reported invalid information: Yes, fixed. # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --no-sssd ... LDAP enabled Kerberos 5 enabled NSLCD configured using configuration file /etc/nslcd.conf Unable to use DNS discovery! Recognized configuration: NSLCD Changing configuration of /etc/ldap.conf to use hardcoded server name: vm-059.idm.lab.bos.redhat.com NTP enabled Client configuration complete. We need to indicate in the return triple that the service was not configured so that we output correct information. I did this now by returning None: return (0, None, None). 2) Returning tuple instead of triple (will raise exception when used): -return 1 +return (1, 'nslcd') Plus, NSLCD is referred in upper case in other return statements. Fixed. Version 3 attached. -- / Alexander Bokovoy From c2ebbee6c1796874a44a735a843a9453ccaaf4bf Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Fri, 29 Jul 2011 13:05:07 +0300 Subject: [PATCH] Make proper LDAP configuration reporting for ipa-client-install Ticket https://fedorahosted.org/freeipa/ticket/1369 --- ipa-client/ipa-install/ipa-client-install | 29 + 1 files changed, 17 insertions(+), 12 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 2e1a28ca087dee9eea04ccc7a9e6e4f8ce89..5847fea1d3e26bdd0c6182ab0ecf3d19ab0f69bc 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -336,6 +336,7 @@ def configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d opts.append({'name':'empty', 'type':'empty'}) +ret = (0, None, None) # Depending on the release and distribution this may exist in any # number of different file names, update what we find for filename in ['/etc/ldap.conf', '/etc/nss_ldap.conf', '/etc/libnss-ldap.conf', '/etc/pam_ldap.conf']: @@ -343,11 +344,12 @@ def configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d try: fstore.backup_file(filename) ldapconf.newConf(filename, opts) +return (0, 'LDAP', filename) except Exception, e: print Creation of %s: %s % (filename, str(e)) -return 1 +return (1, 'LDAP', filename) -return 0 +return ret def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options): nslcdconf = ipaclient.ipachangeconf.IPAChangeConf(IPA Installer) @@ -379,7 +381,7 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, nslcdconf.newConf('/etc/nslcd.conf', opts) except Exception, e: print Creation of %s: %s % ('/etc/nslcd.conf', str(e)) -return 1 +return (1, None, None) if ipautil.service_is_installed('nslcd'): try: @@ -394,8 +396,9 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, logging.error(Failed to enable automatic startup of the NSLCD daemon: %s % str(e)) else: logging.debug(NSLCD daemon is not installed, skip configuration) +return (0, None, None) -return 0 +return (0, 'NSLCD', '/etc/nslcd.conf') def hardcode_ldap_server(cli_server): @@ -945,7 +948,8 @@ def main(): else: # this is optional service, just log -logging.info(NSCD daemon is not installed, skip configuration) +if not options.sssd: +logging.info(NSCD daemon is not installed, skip configuration) # Modify nsswitch/pam stack if options.sssd: @@ -967,11 +971,12 @@ def main(): # Update non-SSSD LDAP configuration after authconfig calls as it would # change its configuration otherways if not
Re: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install
On Fri, 2011-07-29 at 15:59 +0300, Alexander Bokovoy wrote: On 29.07.2011 14:13, Martin Kosek wrote: On Fri, 2011-07-29 at 13:09 +0300, Alexander Bokovoy wrote: Hi, another attempt to refine error/configuration reporting when configuring means to access LDAP on a client. Previous one tried to use rpm to find out package name but this approach is avoiding package names. Instead, it tries to tell configuration file. Ticker https://fedorahosted.org/freeipa/ticket/1369 NACK. 1) Return info from LDAP config functions gets overwritten: if not options.sssd: (retcode, conf, filename) = configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) if retcode: return 1 (retcode, conf, filename) = configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) if retcode: return 1 Only one function will do the real configuration, in my case it was the configure_ldap_conf (nslcd was not installed). Due to the overwrite, my ipa-client-install reported invalid information: Yes, fixed. # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --no-sssd ... LDAP enabled Kerberos 5 enabled NSLCD configured using configuration file /etc/nslcd.conf Unable to use DNS discovery! Recognized configuration: NSLCD Changing configuration of /etc/ldap.conf to use hardcoded server name: vm-059.idm.lab.bos.redhat.com NTP enabled Client configuration complete. We need to indicate in the return triple that the service was not configured so that we output correct information. I did this now by returning None: return (0, None, None). 2) Returning tuple instead of triple (will raise exception when used): -return 1 +return (1, 'nslcd') Plus, NSLCD is referred in upper case in other return statements. Fixed. Version 3 attached. Getting closer, but still not there (although I really like your for configurer in ... construct): # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --no-sssd ... LDAP enabled Kerberos 5 enabled LDAP configured using configuration file /etc/ldap.conf Unable to use DNS discovery! Recognized configuration: None Changing configuration of /etc/ldap.conf to use hardcoded server name: vm-059.idm.lab.bos.redhat.com NTP enabled Client configuration complete. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install
Martin Kosek wrote: On Fri, 2011-07-29 at 15:59 +0300, Alexander Bokovoy wrote: On 29.07.2011 14:13, Martin Kosek wrote: On Fri, 2011-07-29 at 13:09 +0300, Alexander Bokovoy wrote: Hi, another attempt to refine error/configuration reporting when configuring means to access LDAP on a client. Previous one tried to use rpm to find out package name but this approach is avoiding package names. Instead, it tries to tell configuration file. Ticker https://fedorahosted.org/freeipa/ticket/1369 NACK. 1) Return info from LDAP config functions gets overwritten: if not options.sssd: (retcode, conf, filename) = configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) if retcode: return 1 (retcode, conf, filename) = configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options) if retcode: return 1 Only one function will do the real configuration, in my case it was the configure_ldap_conf (nslcd was not installed). Due to the overwrite, my ipa-client-install reported invalid information: Yes, fixed. # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --no-sssd ... LDAP enabled Kerberos 5 enabled NSLCD configured using configuration file /etc/nslcd.conf Unable to use DNS discovery! Recognized configuration: NSLCD Changing configuration of /etc/ldap.conf to use hardcoded server name: vm-059.idm.lab.bos.redhat.com NTP enabled Client configuration complete. We need to indicate in the return triple that the service was not configured so that we output correct information. I did this now by returning None: return (0, None, None). 2) Returning tuple instead of triple (will raise exception when used): -return 1 +return (1, 'nslcd') Plus, NSLCD is referred in upper case in other return statements. Fixed. Version 3 attached. Getting closer, but still not there (although I really like your for configurer in ... construct): # ipa-client-install --server=vm-059.idm.lab.bos.redhat.com --domain=idm.lab.bos.redhat.com --no-sssd ... LDAP enabled Kerberos 5 enabled LDAP configured using configuration file /etc/ldap.conf Unable to use DNS discovery! Recognized configuration: None Changing configuration of /etc/ldap.conf to use hardcoded server name: vm-059.idm.lab.bos.redhat.com NTP enabled Client configuration complete. Martin Backtrace on sssd-based install: # ipa-client-install --server=panther.greyoak.com --domain=greyoak.com --realm=GREYOAK.COM -p admin DNS domain 'greyoak.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: slinky.greyoak.com Realm: GREYOAK.COM DNS Domain: greyoak.com IPA Server: panther.greyoak.com BaseDN: dc=greyoak,dc=com Continue to configure the system with these values? [no]: y Password for ad...@greyoak.com: Enrolled in IPA realm GREYOAK.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm GREYOAK.COM SSSD enabled Kerberos 5 enabled Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1079, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 1054, in main print Unable to use DNS discovery! Recognized configuration: %s % (conf) UnboundLocalError: local variable 'conf' referenced before assignment ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install
On 29.07.2011 18:09, Rob Crittenden wrote: Backtrace on sssd-based install: # ipa-client-install --server=panther.greyoak.com --domain=greyoak.com --realm=GREYOAK.COM -p admin DNS domain 'greyoak.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: slinky.greyoak.com Realm: GREYOAK.COM DNS Domain: greyoak.com IPA Server: panther.greyoak.com BaseDN: dc=greyoak,dc=com Continue to configure the system with these values? [no]: y Password for ad...@greyoak.com: Enrolled in IPA realm GREYOAK.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm GREYOAK.COM SSSD enabled Kerberos 5 enabled Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1079, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 1054, in main print Unable to use DNS discovery! Recognized configuration: %s % (conf) UnboundLocalError: local variable 'conf' referenced before assignment Yes. Fixed that. What we also want to show is that after all effort to configure LDAP, DNS, etc, we are unable to find user admin. I have changed the printed statements to be clear. So in case we are unable to find admin, we'll print: Unable to find 'admin' user with 'getent passwd admin'! If we know what we were working with (SSSD, NSLCD, or LDAP), we'll also print: Recognized configuration: (one of SSSD, NSLCD, LDAP) otherwise it will show following statement: No recognized configuration, please check manually NSS setup and will try to hardcode LDAP server in /etc/ldap.conf if that exists. If the latter attempt succeeds, user will see: Changed configuration of /etc/ldap.conf to use hardcoded server name: (name of server) I think it is at most what we can do without referencing hardcoded config files directly (except for /etc/ldap.conf) in 2.1. Ideally, all this code for configuring specific services should go into platform-specific backend and be re-used from there but that is something for 2.1.1 as it would need my cross-platform enablers which are too big for 2.1. -- / Alexander Bokovoy From 5d38060f05d4642761bb62db810d8e6b89a3f150 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Fri, 29 Jul 2011 13:05:07 +0300 Subject: [PATCH] Make proper LDAP configuration reporting for ipa-client-install Ticket https://fedorahosted.org/freeipa/ticket/1369 --- ipa-client/ipa-install/ipa-client-install | 35 +++-- 1 files changed, 23 insertions(+), 12 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index c5f66be85361ecb3ab8b0c41908d378702df068d..4a61c1bb08057428153374c046f0223a12aefaf6 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -345,6 +345,7 @@ def configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d opts.append({'name':'empty', 'type':'empty'}) +ret = (0, None, None) # Depending on the release and distribution this may exist in any # number of different file names, update what we find for filename in ['/etc/ldap.conf', '/etc/nss_ldap.conf', '/etc/libnss-ldap.conf', '/etc/pam_ldap.conf']: @@ -352,11 +353,12 @@ def configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d try: fstore.backup_file(filename) ldapconf.newConf(filename, opts) +return (0, 'LDAP', filename) except Exception, e: print Creation of %s: %s % (filename, str(e)) -return 1 +return (1, 'LDAP', filename) -return 0 +return ret def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options): nslcdconf = ipaclient.ipachangeconf.IPAChangeConf(IPA Installer) @@ -388,7 +390,7 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, nslcdconf.newConf('/etc/nslcd.conf', opts) except Exception, e: print Creation of %s: %s % ('/etc/nslcd.conf', str(e)) -return 1 +return (1, None, None) if ipautil.service_is_installed('nslcd'): try: @@ -403,8 +405,9 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, logging.error(Failed to enable automatic startup of the NSLCD daemon: %s % str(e)) else: logging.debug(NSLCD daemon is not installed, skip configuration) +return (0, None, None) -return 0 +return (0, 'NSLCD', '/etc/nslcd.conf') def hardcode_ldap_server(cli_server): @@ -422,6 +425,7 @@ def hardcode_ldap_server(cli_server): # Errors raised by this
Re: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install
On 07/29/2011 11:35 AM, Alexander Bokovoy wrote: No recognized configuration, please check manually NSS setup May be reword: Unknown configuration, please check NSS setup manually But some time ago, somewhere, some person from doc told me not to use please in any error massages, man pages or help. I do not know whether this is relevant or not but should we avoid using please? So how about: Unknown configuration, check NSS setup manually or Detected unknown configuration, check NSS setup manually -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install
On 29.07.2011 18:45, Dmitri Pal wrote: On 07/29/2011 11:35 AM, Alexander Bokovoy wrote: No recognized configuration, please check manually NSS setup May be reword: Unknown configuration, please check NSS setup manually But some time ago, somewhere, some person from doc told me not to use please in any error massages, man pages or help. I do not know whether this is relevant or not but should we avoid using please? So how about: Unknown configuration, check NSS setup manually Thought about it and I think this would be better: Unable to reliably detect configuration. Check NSS setup manually. or Detected unknown configuration, check NSS setup manually I decided to remove all 'please' (there are plenty!). Hopefully, this will not make installing IPA on a client less pleasing process. -- / Alexander Bokovoy From a3554af3c7186a248222398b3ca4411fa6bb6a85 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Fri, 29 Jul 2011 13:05:07 +0300 Subject: [PATCH] Make proper LDAP configuration reporting for ipa-client-install Ticket https://fedorahosted.org/freeipa/ticket/1369 --- ipa-client/ipa-install/ipa-client-install | 47 ++--- 1 files changed, 29 insertions(+), 18 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index c5f66be85361ecb3ab8b0c41908d378702df068d..e3b9dfbab5975aade08ee36e98fc9a048df76784 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -147,7 +147,7 @@ def uninstall(options, env): server_fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') if server_fstore.has_files() and not options.on_master: print IPA client is configured as a part of IPA server on this system. -print Please refer to ipa-server-install for uninstallation. +print Refer to ipa-server-install for uninstallation. return 2 sssdconfig = SSSDConfig.SSSDConfig() @@ -345,6 +345,7 @@ def configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d opts.append({'name':'empty', 'type':'empty'}) +ret = (0, None, None) # Depending on the release and distribution this may exist in any # number of different file names, update what we find for filename in ['/etc/ldap.conf', '/etc/nss_ldap.conf', '/etc/libnss-ldap.conf', '/etc/pam_ldap.conf']: @@ -352,11 +353,12 @@ def configure_ldap_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, d try: fstore.backup_file(filename) ldapconf.newConf(filename, opts) +return (0, 'LDAP', filename) except Exception, e: print Creation of %s: %s % (filename, str(e)) -return 1 +return (1, 'LDAP', filename) -return 0 +return ret def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, dnsok, options): nslcdconf = ipaclient.ipachangeconf.IPAChangeConf(IPA Installer) @@ -388,7 +390,7 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, nslcdconf.newConf('/etc/nslcd.conf', opts) except Exception, e: print Creation of %s: %s % ('/etc/nslcd.conf', str(e)) -return 1 +return (1, None, None) if ipautil.service_is_installed('nslcd'): try: @@ -403,8 +405,9 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, logging.error(Failed to enable automatic startup of the NSLCD daemon: %s % str(e)) else: logging.debug(NSLCD daemon is not installed, skip configuration) +return (0, None, None) -return 0 +return (0, 'NSLCD', '/etc/nslcd.conf') def hardcode_ldap_server(cli_server): @@ -422,6 +425,7 @@ def hardcode_ldap_server(cli_server): # Errors raised by this should be caught by the caller ldapconf.changeConf(/etc/ldap.conf, opts) +print Changed configuration of /etc/ldap.conf to use hardcoded server name: +cli_server return @@ -737,7 +741,7 @@ def main(): if fstore.has_files(): sys.exit(IPA client is already configured on this system.\n -+ If you want to reinstall the IPA client please uninstall it first.) ++ If you want to reinstall the IPA client, uninstall it first.) cli_domain = None cli_server = None @@ -766,7 +770,7 @@ def main(): if ret == ipadiscovery.BAD_HOST_CONFIG: print sys.stderr, Can't get the fully qualified name of this host -print sys.stderr, Please check that the client is properly configured +print sys.stderr, Check that the client is properly configured return ret if ret == ipadiscovery.NOT_FQDN: print sys.stderr, %s is not a fully-qualified hostname %
Re: [Freeipa-devel] [PATCH] 0004 (2) Make proper LDAP configuration reporting for ipa-cli-install
Alexander Bokovoy wrote: On 29.07.2011 18:45, Dmitri Pal wrote: On 07/29/2011 11:35 AM, Alexander Bokovoy wrote: No recognized configuration, please check manually NSS setup May be reword: Unknown configuration, please check NSS setup manually But some time ago, somewhere, some person from doc told me not to use please in any error massages, man pages or help. I do not know whether this is relevant or not but should we avoid using please? So how about: Unknown configuration, check NSS setup manually Thought about it and I think this would be better: Unable to reliably detect configuration. Check NSS setup manually. or Detected unknown configuration, check NSS setup manually I decided to remove all 'please' (there are plenty!). Hopefully, this will not make installing IPA on a client less pleasing process. ack, pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel