Re: [Freeipa-devel] [PATCH] 884 migration context and logging
On Mon, 2011-10-03 at 16:44 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote:
We can't assume that there will be only one naming context. Look at each
one until we find an IPA one.
Add logging so you can know that a migration attempt fails and why.
rob
Looks good, its just difficult to set up a proper environment for
reproduction. So far, I found just this problem:
[Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi
(pid=32705): Exception occurred processing WSGI script
'/usr/share/ipa/migration/migration.py'.
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most
recent call last):
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 127, in application
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
bind(form_data['username'].value, form_data['password'].value)
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 107, in bind
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
logging.error('migration bind failed: %s' % convert_exception(e))
Martin
Just missed saving the exception as a variable, should work now.
rob
Works fine, tested on multiple-suffix LDAP server. We should be also
fine when anonymous access is not allowed (Simo was dealing with this in
ipa-client-install in #1881) since migration.py binds via socket.
I have just one suggestion - instead of searching for correct naming
context on your own, you may want to use a function get_ipa_basedn() I
implemented for ipa-client-install (#1868). This will do all the checks
and return you just the IPA baseDN:
https://fedorahosted.org/freeipa/changeset/00cffce6c2ba0121188326535d6c9cd244a4ae5b
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 884 migration context and logging
Martin Kosek wrote:
On Mon, 2011-10-03 at 16:44 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote:
We can't assume that there will be only one naming context. Look at each
one until we find an IPA one.
Add logging so you can know that a migration attempt fails and why.
rob
Looks good, its just difficult to set up a proper environment for
reproduction. So far, I found just this problem:
[Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi (pid=32705):
Exception occurred processing WSGI script
'/usr/share/ipa/migration/migration.py'.
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most recent
call last):
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 127, in application
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
bind(form_data['username'].value, form_data['password'].value)
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 107, in bind
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
logging.error('migration bind failed: %s' % convert_exception(e))
Martin
Just missed saving the exception as a variable, should work now.
rob
Works fine, tested on multiple-suffix LDAP server. We should be also
fine when anonymous access is not allowed (Simo was dealing with this in
ipa-client-install in #1881) since migration.py binds via socket.
I have just one suggestion - instead of searching for correct naming
context on your own, you may want to use a function get_ipa_basedn() I
implemented for ipa-client-install (#1868). This will do all the checks
and return you just the IPA baseDN:
https://fedorahosted.org/freeipa/changeset/00cffce6c2ba0121188326535d6c9cd244a4ae5b
Martin
Well, I did mine first so you should have copied from me :-)
I'll see if I can safely import that.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 884 migration context and logging
On Tue, 2011-10-04 at 08:53 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2011-10-03 at 16:44 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote:
We can't assume that there will be only one naming context. Look at each
one until we find an IPA one.
Add logging so you can know that a migration attempt fails and why.
rob
Looks good, its just difficult to set up a proper environment for
reproduction. So far, I found just this problem:
[Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi
(pid=32705): Exception occurred processing WSGI script
'/usr/share/ipa/migration/migration.py'.
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most
recent call last):
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 127, in application
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
bind(form_data['username'].value, form_data['password'].value)
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 107, in bind
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
logging.error('migration bind failed: %s' % convert_exception(e))
Martin
Just missed saving the exception as a variable, should work now.
rob
Works fine, tested on multiple-suffix LDAP server. We should be also
fine when anonymous access is not allowed (Simo was dealing with this in
ipa-client-install in #1881) since migration.py binds via socket.
I have just one suggestion - instead of searching for correct naming
context on your own, you may want to use a function get_ipa_basedn() I
implemented for ipa-client-install (#1868). This will do all the checks
and return you just the IPA baseDN:
https://fedorahosted.org/freeipa/changeset/00cffce6c2ba0121188326535d6c9cd244a4ae5b
Martin
Well, I did mine first so you should have copied from me :-)
I _did_ copy from you ;-) I just made a function for it so that it can
be reused.
I'll see if I can safely import that.
rob
Ok.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 884 migration context and logging
Martin Kosek wrote:
On Tue, 2011-10-04 at 08:53 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2011-10-03 at 16:44 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote:
We can't assume that there will be only one naming context. Look at each
one until we find an IPA one.
Add logging so you can know that a migration attempt fails and why.
rob
Looks good, its just difficult to set up a proper environment for
reproduction. So far, I found just this problem:
[Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi (pid=32705):
Exception occurred processing WSGI script
'/usr/share/ipa/migration/migration.py'.
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most recent
call last):
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 127, in application
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
bind(form_data['username'].value, form_data['password'].value)
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 107, in bind
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
logging.error('migration bind failed: %s' % convert_exception(e))
Martin
Just missed saving the exception as a variable, should work now.
rob
Works fine, tested on multiple-suffix LDAP server. We should be also
fine when anonymous access is not allowed (Simo was dealing with this in
ipa-client-install in #1881) since migration.py binds via socket.
I have just one suggestion - instead of searching for correct naming
context on your own, you may want to use a function get_ipa_basedn() I
implemented for ipa-client-install (#1868). This will do all the checks
and return you just the IPA baseDN:
https://fedorahosted.org/freeipa/changeset/00cffce6c2ba0121188326535d6c9cd244a4ae5b
Martin
Well, I did mine first so you should have copied from me :-)
I _did_ copy from you ;-) I just made a function for it so that it can
be reused.
I'll see if I can safely import that.
rob
Ok.
Martin
Done
From 5e26a10179605f7127febb5b1a557eff37d87db8 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Mon, 26 Sep 2011 22:19:57 -0400
Subject: [PATCH] Migration: don't assume there is only one naming context,
add logging.
We can't assume that there will be only one naming context. Look at each
one until we find an IPA one.
Add logging so you can know that a migration attempt fails and why.
https://fedorahosted.org/freeipa/ticket/1834
https://fedorahosted.org/freeipa/ticket/1835
---
install/migration/invalid.html |2 +-
install/migration/migration.py | 47
2 files changed, 34 insertions(+), 15 deletions(-)
diff --git a/install/migration/invalid.html b/install/migration/invalid.html
index a641d1a..91de79f 100644
--- a/install/migration/invalid.html
+++ b/install/migration/invalid.html
@@ -35,7 +35,7 @@
pIf the problem persists, contact your administrator./p
/div
/div
- form id=login action= name=
+ form id=login action=migration.py method=post name=
ul
li
label for=usernameUsername:/label
diff --git a/install/migration/migration.py b/install/migration/migration.py
index ed6ade9..8edd678 100644
--- a/install/migration/migration.py
+++ b/install/migration/migration.py
@@ -25,10 +25,25 @@ import errno
import glob
import ldap
import wsgiref
+import logging
+from ipapython.ipautil import get_ipa_basedn
BASE_DN = ''
LDAP_URI = 'ldaps://localhost:636'
+def convert_exception(error):
+
+Convert an LDAP exception into something more readable.
+
+if not isinstance(error, ldap.TIMEOUT):
+desc = error.args[0]['desc'].strip()
+info = error.args[0].get('info', '').strip()
+else:
+desc = ''
+info = ''
+
+return '%s (%s)' % (desc, info)
+
def wsgi_redirect(start_response, loc):
start_response('302 Found', [('Location', loc)])
return []
@@ -44,39 +59,44 @@ def get_base_dn():
Retrieve LDAP server base DN.
+global BASE_DN
+
if BASE_DN:
return BASE_DN
try:
conn = ldap.initialize(LDAP_URI)
conn.simple_bind_s('', '')
-entries = conn.search_ext_s(
-'', scope=ldap.SCOPE_BASE, attrlist=['namingcontexts']
-)
-except ldap.LDAPError:
-return ''
-conn.unbind_s()
-try:
-return entries[0][1]['namingcontexts'][0]
-except (IndexError, KeyError):
+BASE_DN = get_ipa_basedn(conn)
+except ldap.LDAPError, e:
+logging.error('migration context search failed: %s' % e)
return ''
+finally:
+conn.unbind_s()
+
+return BASE_DN
def bind(username, password):
base_dn = get_base_dn()
if not base_dn:
+logging.error('migration
Re: [Freeipa-devel] [PATCH] 884 migration context and logging
On Tue, 2011-10-04 at 09:26 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Tue, 2011-10-04 at 08:53 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2011-10-03 at 16:44 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote:
We can't assume that there will be only one naming context. Look at
each
one until we find an IPA one.
Add logging so you can know that a migration attempt fails and why.
rob
Looks good, its just difficult to set up a proper environment for
reproduction. So far, I found just this problem:
[Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi
(pid=32705): Exception occurred processing WSGI script
'/usr/share/ipa/migration/migration.py'.
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most
recent call last):
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 127, in application
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
bind(form_data['username'].value, form_data['password'].value)
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 107, in bind
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
logging.error('migration bind failed: %s' % convert_exception(e))
Martin
Just missed saving the exception as a variable, should work now.
rob
Works fine, tested on multiple-suffix LDAP server. We should be also
fine when anonymous access is not allowed (Simo was dealing with this in
ipa-client-install in #1881) since migration.py binds via socket.
I have just one suggestion - instead of searching for correct naming
context on your own, you may want to use a function get_ipa_basedn() I
implemented for ipa-client-install (#1868). This will do all the checks
and return you just the IPA baseDN:
https://fedorahosted.org/freeipa/changeset/00cffce6c2ba0121188326535d6c9cd244a4ae5b
Martin
Well, I did mine first so you should have copied from me :-)
I _did_ copy from you ;-) I just made a function for it so that it can
be reused.
I'll see if I can safely import that.
rob
Ok.
Martin
Done
ACK. Pushed to master, ipa-2-1.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 884 migration context and logging
On Mon, 2011-09-26 at 22:24 -0400, Rob Crittenden wrote:
We can't assume that there will be only one naming context. Look at each
one until we find an IPA one.
Add logging so you can know that a migration attempt fails and why.
rob
Looks good, its just difficult to set up a proper environment for
reproduction. So far, I found just this problem:
[Tue Sep 27 10:30:39 2011] [error] [client 10.34.25.52] mod_wsgi (pid=32705):
Exception occurred processing WSGI script
'/usr/share/ipa/migration/migration.py'.
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] Traceback (most recent
call last):
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 127, in application
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
bind(form_data['username'].value, form_data['password'].value)
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52] File
/usr/share/ipa/migration/migration.py, line 107, in bind
[Tue Sep 27 10:30:40 2011] [error] [client 10.34.25.52]
logging.error('migration bind failed: %s' % convert_exception(e))
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
