Re: [Freeipa-devel] [PATCH] 997 add client package requires on python-krbV
On Tue, 2012-03-27 at 13:56 -0400, Rob Crittenden wrote: We initialize ipalib in the client installer now so need a Requires on python-krbV. rob ACK. Pushed to master, ipa-2-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0021 Add CLI tests
On Tue, 2012-03-27 at 19:02 +0200, Petr Viktorin wrote: Updated with a regression test for https://fedorahosted.org/freeipa/ticket/2581 (Unable to delete all sshfp records interactively) which Martin fixed recently. Thank's for adding a specific test for this I see 2 issues with this patch: 1) DNS tests are not skipped when DNS is not configured: $ ./make-test tests/test_cmdline/test_cli.py test_cli.TestCLIParsing.test_dnsrecord_add ... ok test_cli.TestCLIParsing.test_dnsrecord_del_all ... ERROR test_cli.TestCLIParsing.test_dnsrecord_del_one_by_one ... ERROR test_cli.TestCLIParsing.test_group_add ... ok ... We should rather skip these test as we do in test_dns_plugin.py instead of failing with ERROR. 2) pprint is not needed, its output is not shown anyway as stdout is captured: +import pprint ... +pprint.pprint(kw_got) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0021 Add CLI tests
On 03/28/2012 09:11 AM, Martin Kosek wrote: On Tue, 2012-03-27 at 19:02 +0200, Petr Viktorin wrote: Updated with a regression test for https://fedorahosted.org/freeipa/ticket/2581 (Unable to delete all sshfp records interactively) which Martin fixed recently. Thank's for adding a specific test for this I see 2 issues with this patch: 1) DNS tests are not skipped when DNS is not configured: $ ./make-test tests/test_cmdline/test_cli.py test_cli.TestCLIParsing.test_dnsrecord_add ... ok test_cli.TestCLIParsing.test_dnsrecord_del_all ... ERROR test_cli.TestCLIParsing.test_dnsrecord_del_one_by_one ... ERROR test_cli.TestCLIParsing.test_group_add ... ok ... We should rather skip these test as we do in test_dns_plugin.py instead of failing with ERROR. Good point, I added this. 2) pprint is not needed, its output is not shown anyway as stdout is captured: +import pprint ... +pprint.pprint(kw_got) It is shown when the test fails; I found it quite useful when adding new tests. But you're right, it is not needed. Removed. -- Petr³ From 0ac65abe30dc6dcd2a4c2fa36766cf312521d7aa Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Tue, 13 Mar 2012 07:10:52 -0400 Subject: [PATCH] Add CLI parsing tests These test that command lines are parsed to correct Command arguments. Includes some tests for interactive prompts. To make this possible cli.run is broken up into several pieces. --- ipalib/__init__.py |3 + ipalib/backend.py |1 - ipalib/cli.py | 24 +- tests/test_cmdline/test_cli.py | 184 4 files changed, 207 insertions(+), 5 deletions(-) create mode 100644 tests/test_cmdline/test_cli.py diff --git a/ipalib/__init__.py b/ipalib/__init__.py index 1efeeab4a6c5cef8f625c3964be253baf208dd29..dd861a8266614d63a81289672ce2235275c356c0 100644 --- a/ipalib/__init__.py +++ b/ipalib/__init__.py @@ -916,5 +916,8 @@ def create_api(mode='dummy'): api = create_api(mode=None) if os.environ.get('IPA_UNIT_TEST_MODE', None) == 'cli_test': +from cli import cli_plugins +for klass in cli_plugins: +api.register(klass) api.bootstrap(context='cli', in_server=False, in_tree=True) api.finalize() diff --git a/ipalib/backend.py b/ipalib/backend.py index 0232fa536ed83273d1c6510ee442915bb8c0c8c1..7be38ecc80faf03e735813fb1e2d0eba5c347800 100644 --- a/ipalib/backend.py +++ b/ipalib/backend.py @@ -102,7 +102,6 @@ def __get_conn(self): class Executioner(Backend): - def create_context(self, ccache=None, client_ip=None): client_ip: The IP address of the remote client. diff --git a/ipalib/cli.py b/ipalib/cli.py index ea320cf652e309592f9906831e3de2d0beb10198..5e58cc47d5e5d61a76bc917268f0e63307228efa 100644 --- a/ipalib/cli.py +++ b/ipalib/cli.py @@ -123,7 +123,7 @@ def max_col_width(self, rows, col=None): def __get_encoding(self, stream): assert stream in (sys.stdin, sys.stdout) -if stream.encoding is None: +if getattr(stream, 'encoding', None) is None: return 'UTF-8' return stream.encoding @@ -1007,7 +1007,11 @@ class cli(backend.Executioner): Backend plugin for executing from command line interface. -def run(self, argv): +def get_command(self, argv): +Given CLI arguments, return the Command to use + +On incorrect invocation, prints out a help message and returns None + if len(argv) == 0: self.Command.help() return @@ -1022,15 +1026,27 @@ def run(self, argv): if name not in self.Command or self.Command[name].NO_CLI: raise CommandError(name=key) cmd = self.Command[name] -if not isinstance(cmd, frontend.Local): -self.create_context() +return cmd + +def argv_to_keyword_arguments(self, cmd, argv): +Get the keyword arguments for a Command kw = self.parse(cmd, argv) if self.env.interactive: self.prompt_interactively(cmd, kw) kw = cmd.split_csv(**kw) kw['version'] = API_VERSION self.load_files(cmd, kw) +return kw + +def run(self, argv): +cmd = self.get_command(argv) +if cmd is None: +return +name = cmd.name +if not isinstance(cmd, frontend.Local): +self.create_context() try: +kw = self.argv_to_keyword_arguments(cmd, argv[1:]) result = self.execute(name, **kw) if callable(cmd.output_for_cli): for param in cmd.params(): diff --git a/tests/test_cmdline/test_cli.py b/tests/test_cmdline/test_cli.py new file mode 100644 index ..889aae4130cba4d728b1b461719767f2db9a73cb --- /dev/null +++ b/tests/test_cmdline/test_cli.py @@ -0,0 +1,184 @@ +import shlex +import sys +import contextlib +import StringIO + +import nose + +from tests import util
Re: [Freeipa-devel] [PATCHES] Improve framework parameter validation
On 27.3.2012 17:41, Martin Kosek wrote: On Tue, 2012-03-27 at 16:42 +0200, Martin Kosek wrote: On Tue, 2012-03-27 at 16:30 +0200, Jan Cholasta wrote: On 27.3.2012 16:00, Martin Kosek wrote: On Thu, 2012-03-15 at 14:57 +0100, Jan Cholasta wrote: On 15.3.2012 14:20, Petr Viktorin wrote: On 03/15/2012 12:05 PM, Jan Cholasta wrote: On 15.3.2012 11:36, Jan Cholasta wrote: (this is a continuation of http://www.redhat.com/archives/freeipa-devel/2011-September/msg00327.html) Hi, the attached patches fixhttps://fedorahosted.org/freeipa/ticket/1847 andhttps://fedorahosted.org/freeipa/ticket/2245: [PATCH] Fix the procedure for getting default values of command parameters. The parameters used in default_from of other parameters are now properly validated before the default_from is called. [PATCH] Change parameters to use only default_from for dynamic default values. Replace all occurences of create_default with equivalent default_from and remove create_default from the framework. This is needed for proper parameter validation, as there is no way to tell which parameters to validate prior to calling create_default, because create_default does not provide information about which parameters are used for generating the default value. Honza Forgot to remove one FIXME bit in dns.py. Update patch attached. Honza diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index a10960a..61c645d 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -1528,7 +1528,7 @@ class dnszone(LDAPObject): label=_('SOA serial'), doc=_('SOA record serial number'), minvalue=1, - create_default=_create_zone_serial, + default_from=_create_zone_serial, autofill=True, ), Int('idnssoarefresh', diff --git a/ipalib/plugins/passwd.py b/ipalib/plugins/passwd.py index b26f7e9..9bee314 100644 --- a/ipalib/plugins/passwd.py +++ b/ipalib/plugins/passwd.py @@ -69,7 +69,7 @@ class passwd(Command): label=_('User name'), primary_key=True, autofill=True, - create_default=lambda **kw: util.get_current_principal(), + default_from=lambda: util.get_current_principal(), normalizer=lambda value: normalize_principal(value), ), Password('password', This is just a minor nitpick, but I'd like to know if there's a reason behind it: why are you sometimes using lambda and sometimes not? I use lambda as a protective measure against accidents caused by adding optional arguments to the functions used. _create_zone_serial is an exception to that rule, because it is private to the dns plugin. The patch works well here, but I think I'm not the one to ack it. Honza The patch looks OK, I found just minor issues. 1) We may want to add some check for wildcards (**kw) in default_from, I guess it would mess with your dependency solver. Some nice error would warn developers that they are doing something bad. Added the check. 2) Patch 47.4 needs minor rebasing Done. Martin Updated patches attached. Honza I think you squashed the change with an incorrect commit. The check should be rather included in patch 44. I beg to differ, patch 44 changes the way parameter defaults are generated, which is not affected by this change at all. The check is there just to warn developers early if they use default_from in a wrong way (it wouldn't have worked even without the check). This could have happened in patch 47, if I had done a bad job replacing create_default with default_from, so the check belongs there (or into a separate patch). Martin I just noticed it breaks one unit test: == ERROR: Test the `ipalib.parameters.DefaultFrom.__init__` method. -- Traceback (most recent call last): File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in runTest self.test(*self.arg) File /home/mkosek/freeipa/tests/test_ipalib/test_parameters.py, line 52, in test_init o = self.cls(callback, *keys) File /home/mkosek/freeipa/ipalib/parameters.py, line 201, in __init__ raise ValueError(callback: variable-length argument list not allowed) ValueError: callback: variable-length argument list not allowed -- Fixed. I also think it would be useful to have one test specifically for this new check. Added. Martin Updated patches attached. Honza -- Jan Cholasta From 0ac41ae8536caaff63e7e84f71affdf5fc9c0b5c Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Mon, 16 Jan 2012 09:21:50 -0500 Subject: [PATCH 2/2] Fix the procedure for getting default values of command parameters. The parameters used in default_from of other parameters are now properly validated before the default_from is called. ticket 1847 --- ipalib/cli.py
Re: [Freeipa-devel] [PATCH 68] text unit test should validate using installed mo file
On 03/27/2012 10:31 PM, John Dennis wrote: On 03/27/2012 01:57 PM, Petr Viktorin wrote: Seeing this, I definitely recommend putting po_file_iterate in an importable package. Of course I considered that. Clearly not any existing top level directory in the tree, those are reserved for what we install and what is import visible after installation. Test utility code should not be installed with our normal modules and packages. It has to be importable from both the install/po area and the test area. It can't depend on nosetests setting the import path prior to execution (because only the unit tests are run via nose). So we could create a directory tests/util which hosts utilities used for test code and locate it there. I did consider that, it would be (somewhat) cleaner. But unless I'm missing something someone is going to have to modify the include path prior to importing any test utility code. It just becomes a question of where the file is located. I'd be happy to move the bulk of the logic into tests/util/i18n.py, but to import it the importing code is going to have to add tests/util to the import path, which puts you pretty much back into the original situation, just with a different path (albeit perhaps a more logical cleaner path). Can install/po/Makefile just call test_i18n.py from the tests/ tree? It doesn't import any IPA code so there's no need to set sys.path in this case (though there'd have to be a comment saying we depend on this). In the other case, unit tests, the path is already set by Nose. Also the file would have to be renamed so nose doesn't pick it up as a test module. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0032 Move DNS test skipping to class setup
Currently, each DNS test case first checks if DNS is configured by creating and deleting a test zone. This takes quite a lot of time. This patch moves the check to the setUpClass method, so the check is only done once for all the tests. On my VM, this makes the DNS plugin tests 50% faster, saving about half a minute for each test run. -- Petr³ From a9098f77bf89d1f44ea9ec335e55f05f086e373b Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Wed, 28 Mar 2012 04:42:23 -0400 Subject: [PATCH] Move DNS test skipping to class setup Currently, each DNS test case first checks if DNS is configured by creating and deleting a test zone. This takes quite a lot of time. This patch moves the check to the setUpClass method, so the check is only done once for all the tests. --- tests/test_xmlrpc/test_dns_plugin.py |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_xmlrpc/test_dns_plugin.py b/tests/test_xmlrpc/test_dns_plugin.py index 1e5ab7917f47b713f226764885035ff6b4ac90cd..911c77371950df863d797f4f01efd4bd46084797 100644 --- a/tests/test_xmlrpc/test_dns_plugin.py +++ b/tests/test_xmlrpc/test_dns_plugin.py @@ -47,8 +47,8 @@ class test_dns(Declarative): -def setUp(self): -super(test_dns, self).setUp() +@classmethod +def setUpClass(cls): try: api.Command['dnszone_add'](dnszone1, idnssoamname = dnszone1_mname, -- 1.7.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 490 Fix s4u2proxy handling when a MS-PAC is available
On Tue, Mar 27, 2012 at 03:17:06PM -0400, Simo Sorce wrote: This patch fixes #2504, the logic to choose the client principal to use was basically reversed, and we ended up using the wrong principal to verify the PAC owner. This patch fixes it. Tested and s4u2proxy keeps working both with and without a PAC attached. It also keeps working with normal TGS requests of course. ACK, '--delegate' is not neede anymore. bye, Sumit Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 16 Netgroup nisdomain and hosts validation
On Tue, 2012-03-27 at 17:56 +0200, Ondrej Hamada wrote: On 03/27/2012 01:57 PM, Martin Kosek wrote: On Fri, 2012-03-23 at 23:10 +0100, Ondrej Hamada wrote: On 03/15/2012 08:13 AM, Martin Kosek wrote: On Wed, 2012-03-14 at 16:54 +0100, Ondrej Hamada wrote: On 03/09/2012 04:34 PM, Martin Kosek wrote: On Thu, 2012-03-08 at 14:52 +0100, Ondrej Hamada wrote: Netgroup nisdomain and hosts validation nisdomain validation: Added pattern to the 'nisdomain' parameter to validate the specified nisdomain name. According to most common use cases the same patter as for netgroup should fit. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2447 hosts validation: Added precallback to netgroup_add_member. It validates the specified hostnames and raises ValidationError exception for invalid hostnames. Unit-test added. https://fedorahosted.org/freeipa/ticket/2448 I checked the host validation part and it could be improved. Issue described in #2447 (you have switched the ticket IDs) affects all objects that allow external hosts, users, ..., i.e. those who call add_external_post_callback in their post_callback. Should we fix all of these when we deal with this issue? Otherwise user could do something like this: # ipa sudorule-add-user foo --users=a+b Rule name: foo Enabled: TRUE External User: a+b We could create a similar function called add_external_pre_callback() and pass it attribute name and validating function (which would be common with the linked object). It would then do the validation for all these affected objects consistently and without redundant code. I didn't liked much the implemented pre_callback anyway +def pre_callback(self, ldap, dn, found, not_found, *keys, **options): +# validate entered hostnames +if 'host' in options: +invalid_hostnames=[] +for hostname in options['host']: +try: +validate_hostname(hostname, False) +except ValueError: +invalid_hostnames.append(hostname) +if invalid_hostnames: +raise errors.ValidationError(name='host', error='hostnames:\%s\ contain invalid characters' % ','.join(invalid_hostnames)) +return dn I would rather raise the ValidationError with the first invalid hostname and tell what's wrong (function validate_hostname tells it to you). If you go with the proposed approach, you wouldn't have to deal with formatting error messages, you would just raise the one returned by the validator shared with the linked LDAP object (hostname, user, ...). Martin external_pre_callback function seems as a good idea, but there is a problem how to get the validators for various LDAP objects. For the hostname we already have one in ipalib.utils, but for the uid or group name we use only patterns specified in the parameter objects. Below I propose solution how to use the already defined parameter objects for validation (the only problem is that I have to assume, that it is always the first parameter in takes_params). Do you think this is a good approach? I think the approach is OK, it can just be much improved in order to get rid of the hardcoded parts. See comments below. def add_external_pre_callback(memberattr, membertype, externalattr, ldap, dn, found, not_found, *keys, **options): Pre callback to validate external members. if membertype in options: validator = api.Object[membertype].takes_params[0] You can use api.Object[membertype].params[memberattr] for value in options[membertype]: try: validator(value) except errors.ValidationError as e: error_msg = e[(e.find(':')+1):] You don't have to parse error message, you can just use e.name or e.error right from the caught ValidationError. raise errors.ValidationError(name=membertype, error=e[e.find(':')+1:]) return dn nisdomain validation: Added pattern to the 'nisdomain' parameter to validate the specified nisdomain name. According to most common use cases the same pattern as for netgroup should fit. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2448 'add_external_pre_callback' function was created to allow validation of all external members. Validation is based on usage of objects primary key parameter. The 'add_external_pre_callback' fucntion has to be called directly from in the 'pre_callback' function. This change affects netgroup, hbacrule and sudorule commands. Special validator is used only for hostname, the validator requires fully qualified domain name and enables the hostnames to contain underscores. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2447 This is better,
Re: [Freeipa-devel] [PATCH] 0022 Use ipauniqueid for the RDN of sudo commands (rebased)
Earlier, someone (I think Alexander?) mentioned off-list that since the sudocmd attribute is case-sensitive, it should be compared as case-sensitive when used in the DN, so this is a directory server bug. I found now that ipalib.dn.AVA.__eq__'s docstring says: The value comparison is also case insensitive because the all [sic] attribute types used in a DN are derived from the 'name' atribute type (OID 2.5.4.41) whose EQUALITY MATCH RULE is caseIgnoreMatch. We do case-insensitive compares on DNs, and there's no easy way to change this (the DN code knows nothing about a particular schema, including case-sensitivity of its attributes). So however DS is supposed to work (I don't have a manual handy), we're pretty much committed to case-insensitive attributes in DNs. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] web ui error
I am trying to use the webui on a ipa machine I have here and I seem to be unable to make it work properly. I load a browser on the machine and head to the webui, in this case https://ipaqavmc.testrelm.com/ipa/ui I've kinited as admin, and I have run through the browser setup as per the instructions the webui gives me. When the ui is about to load I get a popup that says internal server error in /var/log/httd/error_log I get: [Wed Mar 28 15:05:44 2012] [error] [client 10.16.98.180] mod_wsgi (pid=18940): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Wed Mar 28 15:05:44 2012] [error] [client 10.16.98.180] Traceback (most recent call last): [Wed Mar 28 15:05:44 2012] [error] [client 10.16.98.180] File /usr/share/ipa/wsgi.py, line 49, in application [Wed Mar 28 15:05:44 2012] [error] [client 10.16.98.180] return api.Backend.wsgi_dispatch(environ, start_response) [Wed Mar 28 15:05:44 2012] [error] [client 10.16.98.180] File /usr/lib/python2.6/site-packages/ipaserver/rpcserver.py, line 229, in __call__ [Wed Mar 28 15:05:45 2012] [error] [client 10.16.98.180] return self.route(environ, start_response) [Wed Mar 28 15:05:45 2012] [error] [client 10.16.98.180] File /usr/lib/python2.6/site-packages/ipaserver/rpcserver.py, line 241, in route [Wed Mar 28 15:05:45 2012] [error] [client 10.16.98.180] return app(environ, start_response) [Wed Mar 28 15:05:45 2012] [error] [client 10.16.98.180] File /usr/lib/python2.6/site-packages/ipaserver/rpcserver.py, line 792, in __call__ [Wed Mar 28 15:05:45 2012] [error] [client 10.16.98.180] ipa_ccache_name = bind_ipa_ccache(ccache_data) [Wed Mar 28 15:05:45 2012] [error] [client 10.16.98.180] File /usr/lib/python2.6/site-packages/ipalib/session.py, line 1228, in bind_ipa_ccache [Wed Mar 28 15:05:45 2012] [error] [client 10.16.98.180] dst = open(name, 'w') [Wed Mar 28 15:05:45 2012] [error] [client 10.16.98.180] IOError: [Errno 13] Permission denied: '/var/run/ipa_memcached/krbcc_18940' I'm not sure what is going on. I then set the permissions of /var/run/ipa_memcached to full open: drwxrwxrwx. 2 apacheapache4096 Mar 20 19:02 ipa_memcached Any ideas on what I can do to make the webui work? Michael- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] web ui error
Michael Gregg wrote: I am trying to use the webui on a ipa machine I have here and I seem to be unable to make it work properly. I load a browser on the machine and head to the webui, in this case https://ipaqavmc.testrelm.com/ipa/ui I've kinited as admin, and I have run through the browser setup as per the instructions the webui gives me. When the ui is about to load I get a popup that says internal server error in /var/log/httd/error_log I get: [Wed Mar 28 15:05:44 2012] [error] [client 10.16.98.180] mod_wsgi (pid=18940): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Wed Mar 28 15:05:44 2012] [error] [client 10.16.98.180] Traceback (most recent call last): [Wed Mar 28 15:05:44 2012] [error] [client 10.16.98.180] File /usr/share/ipa/wsgi.py, line 49, in application [Wed Mar 28 15:05:44 2012] [error] [client 10.16.98.180] return api.Backend.wsgi_dispatch(environ, start_response) [Wed Mar 28 15:05:44 2012] [error] [client 10.16.98.180] File /usr/lib/python2.6/site-packages/ipaserver/rpcserver.py, line 229, in __call__ [Wed Mar 28 15:05:45 2012] [error] [client 10.16.98.180] return self.route(environ, start_response) [Wed Mar 28 15:05:45 2012] [error] [client 10.16.98.180] File /usr/lib/python2.6/site-packages/ipaserver/rpcserver.py, line 241, in route [Wed Mar 28 15:05:45 2012] [error] [client 10.16.98.180] return app(environ, start_response) [Wed Mar 28 15:05:45 2012] [error] [client 10.16.98.180] File /usr/lib/python2.6/site-packages/ipaserver/rpcserver.py, line 792, in __call__ [Wed Mar 28 15:05:45 2012] [error] [client 10.16.98.180] ipa_ccache_name = bind_ipa_ccache(ccache_data) [Wed Mar 28 15:05:45 2012] [error] [client 10.16.98.180] File /usr/lib/python2.6/site-packages/ipalib/session.py, line 1228, in bind_ipa_ccache [Wed Mar 28 15:05:45 2012] [error] [client 10.16.98.180] dst = open(name, 'w') [Wed Mar 28 15:05:45 2012] [error] [client 10.16.98.180] IOError: [Errno 13] Permission denied: '/var/run/ipa_memcached/krbcc_18940' I'm not sure what is going on. I then set the permissions of /var/run/ipa_memcached to full open: drwxrwxrwx. 2 apache apache 4096 Mar 20 19:02 ipa_memcached Any ideas on what I can do to make the webui work? Michael- See if SELinux is complaining about the file. What version of ipa-server? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] web ui error
On 03/28/2012 03:12 PM, Michael Gregg wrote: I am trying to use the webui on a ipa machine I have here and I seem to be unable to make it work properly. I load a browser on the machine and head to the webui, in this case https://ipaqavmc.testrelm.com/ipa/ui I've kinited as admin, and I have run through the browser setup as per the instructions the webui gives me. When the ui is about to load I get a popup that says internal server error in /var/log/httd/error_log I get: This is probably an SELinux issue. Try putting the machine in permissive mode and restart ipa. Does the problem go away? If so we've fixed this and you must have old packages, please update. Also, could you do us a favor, when providing tracebacks with long lines it's very hard to read when your mail client wraps the lines, could you please either attach them as a text file or point us to a pastebin? Thanks. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] web ui error
On 03/28/2012 12:19 PM, John Dennis wrote: On 03/28/2012 03:12 PM, Michael Gregg wrote: I am trying to use the webui on a ipa machine I have here and I seem to be unable to make it work properly. I load a browser on the machine and head to the webui, in this case https://ipaqavmc.testrelm.com/ipa/ui I've kinited as admin, and I have run through the browser setup as per the instructions the webui gives me. When the ui is about to load I get a popup that says internal server error in /var/log/httd/error_log I get: This is probably an SELinux issue. Try putting the machine in permissive mode and restart ipa. Does the problem go away? If so we've fixed this and you must have old packages, please update. Also, could you do us a favor, when providing tracebacks with long lines it's very hard to read when your mail client wraps the lines, could you please either attach them as a text file or point us to a pastebin? Thanks. It was a selinux problem. I'm on ipa-server version: ipa-server-2.2.0-4.el6.x86_64 Maybe I need a newer version? And I'll attach these errors/tracebacks with pastebin attachments in the future. Michael- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 971 detect binary LDAP data
Jan Cholasta wrote: On 29.2.2012 15:45, Rob Crittenden wrote: Jan Cholasta wrote: On 28.2.2012 18:58, Rob Crittenden wrote: Jan Cholasta wrote: On 28.2.2012 18:02, Petr Viktorin wrote: On 02/28/2012 04:45 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 02/28/2012 04:02 AM, Rob Crittenden wrote: Petr Viktorin wrote: On 02/27/2012 05:10 PM, Rob Crittenden wrote: Rob Crittenden wrote: Simo Sorce wrote: On Mon, 2012-02-27 at 09:44 -0500, Rob Crittenden wrote: We are pretty trusting that the data coming out of LDAP matches its schema but it is possible to stuff non-printable characters into most attributes. I've added a sanity checker to keep a value as a python str type (treated as binary internally). This will result in a base64 encoded blob be returned to the client. I don't like the idea of having arbitrary binary data where unicode strings are expected. It might cause some unexpected errors (I have a feeling that --addattr and/or --delattr and possibly some plugins might not handle this very well). Wouldn't it be better to just throw away the value if it's invalid and warn the user? This isn't for user input, it is for data stored in LDAP. User's are going to have no way to provide binary data to us unless they use the API themselves in which case they have to follow our rules. Well my point was that --addattr and --delattr cause an LDAP search for the given attribute and plugins might get the result of a LDAP search in their post_callback and I'm not sure if they can cope with binary data. It wouldn't be any different than if we had the value as a unicode. Let's see what happens if the mail attribute of a user contains invalid UTF-8 (ff 62 30 72 6b 65 64): $ ipa user-find jdoe -- 1 user matched -- User login: jdoe First name: John Last name: Doe Home directory: /home/jdoe Login shell: /bin/sh Email address: /2IwcmtlZA== UID: 526 GID: 526 Account disabled: False Password: False Kerberos keys available: False Number of entries returned 1 $ ipa user-mod jdoe --addattr mail=j...@example.com ipa: ERROR: an internal error has occurred The internal error is: Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 302, in wsgi_execute result = self.Command[name](*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 438, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 696, in run return self.execute(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line 1217, in execute ldap, dn, entry_attrs, attrs_list, *keys, **options File /usr/lib/python2.7/site-packages/ipalib/plugins/user.py, line 532, in pre_callback entry_attrs['mail'] = self.obj._normalize_email(entry_attrs['mail']) File /usr/lib/python2.7/site-packages/ipalib/plugins/user.py, line 338, in _normalize_email norm_email.append(m + u'@' + config['ipadefaultemaildomain'][0]) UnicodeDecodeError: 'utf8' codec can't decode byte 0xff in position 0: invalid start byte $ ipa user-mod jdoe --delattr mail=/2IwcmtlZA== ipa: ERROR: mail does not contain '/2IwcmtlZA==' $ ipa user-mod jdoe --delattr mail=`echo 'ff 62 30 72 6b 65 64' | xxd -p -r` ipa: ERROR: UnicodeDecodeError: 'utf8' codec can't decode byte 0xff in position 5: invalid start byte Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipalib/cli.py, line 1242, in run sys.exit(api.Backend.cli.run(argv)) File /usr/lib/python2.7/site-packages/ipalib/cli.py, line 1024, in run kw = self.parse(cmd, argv) File /usr/lib/python2.7/site-packages/ipalib/cli.py, line 1049, in parse return dict(self.parse_iter(cmd, kw)) File /usr/lib/python2.7/site-packages/ipalib/cli.py, line 1058, in parse_iter yield (key, self.Backend.textui.decode(value)) File /usr/lib/python2.7/site-packages/ipalib/cli.py, line 136, in decode return value.decode(encoding) File /usr/lib64/python2.7/encodings/utf_8.py, line 16, in decode return codecs.utf_8_decode(input, errors, True) UnicodeDecodeError: 'utf8' codec can't decode byte 0xff in position 5: invalid start byte ipa: ERROR: an internal error has occurred I'm sure there is a lot more places in the code where things will break when you feed them arbitrary data. We treat the python type str as binary data. Anything that is a str gets based64 encoded before json or xml-rpc transmission. The type unicode is considered a string and goes in the clear. We determine what this type should be not from the data but from the schema. This is a big assumption. Hopefully this answer's Petr's point as well. We decided long ago that str means Binary and unicode means String. It is a bit clumsy perhaps python handles it well. It will be more clear when we switch to Python 3.0 and we'll have bytes and str instead as types. Well, this is all super-obvious and I'm not really sure why do you bring it up