Re: [Freeipa-devel] [PATCH] 884 migration context and logging
On Mon, 2011-10-03 at 16:44 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote: We can't assume that there will be only one naming context. Look at each one until we find an IPA one. Add logging so you can know that a migration attempt fails and why. rob Looks good, its just difficult to set up a proper environment for reproduction. So far, I found just this problem: [Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi (pid=32705): Exception occurred processing WSGI script '/usr/share/ipa/migration/migration.py'. [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most recent call last): [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File /usr/share/ipa/migration/migration.py, line 127, in application [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] bind(form_data['username'].value, form_data['password'].value) [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File /usr/share/ipa/migration/migration.py, line 107, in bind [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] logging.error('migration bind failed: %s' % convert_exception(e)) Martin Just missed saving the exception as a variable, should work now. rob Works fine, tested on multiple-suffix LDAP server. We should be also fine when anonymous access is not allowed (Simo was dealing with this in ipa-client-install in #1881) since migration.py binds via socket. I have just one suggestion - instead of searching for correct naming context on your own, you may want to use a function get_ipa_basedn() I implemented for ipa-client-install (#1868). This will do all the checks and return you just the IPA baseDN: https://fedorahosted.org/freeipa/changeset/00cffce6c2ba0121188326535d6c9cd244a4ae5b Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 884 migration context and logging
Martin Kosek wrote: On Mon, 2011-10-03 at 16:44 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote: We can't assume that there will be only one naming context. Look at each one until we find an IPA one. Add logging so you can know that a migration attempt fails and why. rob Looks good, its just difficult to set up a proper environment for reproduction. So far, I found just this problem: [Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi (pid=32705): Exception occurred processing WSGI script '/usr/share/ipa/migration/migration.py'. [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most recent call last): [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File /usr/share/ipa/migration/migration.py, line 127, in application [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] bind(form_data['username'].value, form_data['password'].value) [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File /usr/share/ipa/migration/migration.py, line 107, in bind [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] logging.error('migration bind failed: %s' % convert_exception(e)) Martin Just missed saving the exception as a variable, should work now. rob Works fine, tested on multiple-suffix LDAP server. We should be also fine when anonymous access is not allowed (Simo was dealing with this in ipa-client-install in #1881) since migration.py binds via socket. I have just one suggestion - instead of searching for correct naming context on your own, you may want to use a function get_ipa_basedn() I implemented for ipa-client-install (#1868). This will do all the checks and return you just the IPA baseDN: https://fedorahosted.org/freeipa/changeset/00cffce6c2ba0121188326535d6c9cd244a4ae5b Martin Well, I did mine first so you should have copied from me :-) I'll see if I can safely import that. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 884 migration context and logging
On Tue, 2011-10-04 at 08:53 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Mon, 2011-10-03 at 16:44 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote: We can't assume that there will be only one naming context. Look at each one until we find an IPA one. Add logging so you can know that a migration attempt fails and why. rob Looks good, its just difficult to set up a proper environment for reproduction. So far, I found just this problem: [Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi (pid=32705): Exception occurred processing WSGI script '/usr/share/ipa/migration/migration.py'. [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most recent call last): [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File /usr/share/ipa/migration/migration.py, line 127, in application [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] bind(form_data['username'].value, form_data['password'].value) [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File /usr/share/ipa/migration/migration.py, line 107, in bind [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] logging.error('migration bind failed: %s' % convert_exception(e)) Martin Just missed saving the exception as a variable, should work now. rob Works fine, tested on multiple-suffix LDAP server. We should be also fine when anonymous access is not allowed (Simo was dealing with this in ipa-client-install in #1881) since migration.py binds via socket. I have just one suggestion - instead of searching for correct naming context on your own, you may want to use a function get_ipa_basedn() I implemented for ipa-client-install (#1868). This will do all the checks and return you just the IPA baseDN: https://fedorahosted.org/freeipa/changeset/00cffce6c2ba0121188326535d6c9cd244a4ae5b Martin Well, I did mine first so you should have copied from me :-) I _did_ copy from you ;-) I just made a function for it so that it can be reused. I'll see if I can safely import that. rob Ok. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 884 migration context and logging
Martin Kosek wrote: On Tue, 2011-10-04 at 08:53 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Mon, 2011-10-03 at 16:44 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote: We can't assume that there will be only one naming context. Look at each one until we find an IPA one. Add logging so you can know that a migration attempt fails and why. rob Looks good, its just difficult to set up a proper environment for reproduction. So far, I found just this problem: [Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi (pid=32705): Exception occurred processing WSGI script '/usr/share/ipa/migration/migration.py'. [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most recent call last): [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File /usr/share/ipa/migration/migration.py, line 127, in application [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] bind(form_data['username'].value, form_data['password'].value) [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File /usr/share/ipa/migration/migration.py, line 107, in bind [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] logging.error('migration bind failed: %s' % convert_exception(e)) Martin Just missed saving the exception as a variable, should work now. rob Works fine, tested on multiple-suffix LDAP server. We should be also fine when anonymous access is not allowed (Simo was dealing with this in ipa-client-install in #1881) since migration.py binds via socket. I have just one suggestion - instead of searching for correct naming context on your own, you may want to use a function get_ipa_basedn() I implemented for ipa-client-install (#1868). This will do all the checks and return you just the IPA baseDN: https://fedorahosted.org/freeipa/changeset/00cffce6c2ba0121188326535d6c9cd244a4ae5b Martin Well, I did mine first so you should have copied from me :-) I _did_ copy from you ;-) I just made a function for it so that it can be reused. I'll see if I can safely import that. rob Ok. Martin Done From 5e26a10179605f7127febb5b1a557eff37d87db8 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Mon, 26 Sep 2011 22:19:57 -0400 Subject: [PATCH] Migration: don't assume there is only one naming context, add logging. We can't assume that there will be only one naming context. Look at each one until we find an IPA one. Add logging so you can know that a migration attempt fails and why. https://fedorahosted.org/freeipa/ticket/1834 https://fedorahosted.org/freeipa/ticket/1835 --- install/migration/invalid.html |2 +- install/migration/migration.py | 47 2 files changed, 34 insertions(+), 15 deletions(-) diff --git a/install/migration/invalid.html b/install/migration/invalid.html index a641d1a..91de79f 100644 --- a/install/migration/invalid.html +++ b/install/migration/invalid.html @@ -35,7 +35,7 @@ pIf the problem persists, contact your administrator./p /div /div - form id=login action= name= + form id=login action=migration.py method=post name= ul li label for=usernameUsername:/label diff --git a/install/migration/migration.py b/install/migration/migration.py index ed6ade9..8edd678 100644 --- a/install/migration/migration.py +++ b/install/migration/migration.py @@ -25,10 +25,25 @@ import errno import glob import ldap import wsgiref +import logging +from ipapython.ipautil import get_ipa_basedn BASE_DN = '' LDAP_URI = 'ldaps://localhost:636' +def convert_exception(error): + +Convert an LDAP exception into something more readable. + +if not isinstance(error, ldap.TIMEOUT): +desc = error.args[0]['desc'].strip() +info = error.args[0].get('info', '').strip() +else: +desc = '' +info = '' + +return '%s (%s)' % (desc, info) + def wsgi_redirect(start_response, loc): start_response('302 Found', [('Location', loc)]) return [] @@ -44,39 +59,44 @@ def get_base_dn(): Retrieve LDAP server base DN. +global BASE_DN + if BASE_DN: return BASE_DN try: conn = ldap.initialize(LDAP_URI) conn.simple_bind_s('', '') -entries = conn.search_ext_s( -'', scope=ldap.SCOPE_BASE, attrlist=['namingcontexts'] -) -except ldap.LDAPError: -return '' -conn.unbind_s() -try: -return entries[0][1]['namingcontexts'][0] -except (IndexError, KeyError): +BASE_DN = get_ipa_basedn(conn) +except ldap.LDAPError, e: +logging.error('migration context search failed: %s' % e) return '' +finally: +conn.unbind_s() + +return BASE_DN def bind(username, password): base_dn = get_base_dn() if not base_dn: +logging.error('migration
Re: [Freeipa-devel] [PATCH] 884 migration context and logging
On Tue, 2011-10-04 at 09:26 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Tue, 2011-10-04 at 08:53 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Mon, 2011-10-03 at 16:44 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote: We can't assume that there will be only one naming context. Look at each one until we find an IPA one. Add logging so you can know that a migration attempt fails and why. rob Looks good, its just difficult to set up a proper environment for reproduction. So far, I found just this problem: [Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi (pid=32705): Exception occurred processing WSGI script '/usr/share/ipa/migration/migration.py'. [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most recent call last): [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File /usr/share/ipa/migration/migration.py, line 127, in application [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] bind(form_data['username'].value, form_data['password'].value) [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File /usr/share/ipa/migration/migration.py, line 107, in bind [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] logging.error('migration bind failed: %s' % convert_exception(e)) Martin Just missed saving the exception as a variable, should work now. rob Works fine, tested on multiple-suffix LDAP server. We should be also fine when anonymous access is not allowed (Simo was dealing with this in ipa-client-install in #1881) since migration.py binds via socket. I have just one suggestion - instead of searching for correct naming context on your own, you may want to use a function get_ipa_basedn() I implemented for ipa-client-install (#1868). This will do all the checks and return you just the IPA baseDN: https://fedorahosted.org/freeipa/changeset/00cffce6c2ba0121188326535d6c9cd244a4ae5b Martin Well, I did mine first so you should have copied from me :-) I _did_ copy from you ;-) I just made a function for it so that it can be reused. I'll see if I can safely import that. rob Ok. Martin Done ACK. Pushed to master, ipa-2-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 884 migration context and logging
On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote: We can't assume that there will be only one naming context. Look at each one until we find an IPA one. Add logging so you can know that a migration attempt fails and why. rob Looks good, its just difficult to set up a proper environment for reproduction. So far, I found just this problem: [Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi (pid=32705): Exception occurred processing WSGI script '/usr/share/ipa/migration/migration.py'. [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most recent call last): [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File /usr/share/ipa/migration/migration.py, line 127, in application [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] bind(form_data['username'].value, form_data['password'].value) [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File /usr/share/ipa/migration/migration.py, line 107, in bind [Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] logging.error('migration bind failed: %s' % convert_exception(e)) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel