Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
Pavel Zůna wrote: On 4/15/2010 8:18 PM, Rob Crittenden wrote: Pavel Zůna wrote: On 4/14/2010 4:35 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 03/30/2010 10:27 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 03/23/2010 09:40 PM, Rob Crittenden wrote: Pavel Zuna wrote: This is the first in a series of patches, that replace all the legacy code from v1 related to LDAP. I did some limited testing of the installer after this patch and nothing seems to break, but I didn't do replicas etc... Pavel nack. This breaks at least ipa-replica-manage, ipa-replica-prepare, ipa-server-certinstall and ipa-replica-install. rob Fixed patch attached. Pavel I'm not sure if you attached the wrong patch or not (it's dated 3/24) but things are still not working: # ipa-replica-install replica-info-tiger.example.com.gpg Directory Manager (existing master) password: creation of replica failed: 'Env' object has no attribute 'basedn' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. rob Sorry for a late reply. Here's a patch that should finally work. I did a lot more testing and setting up a replica went smoothly every time. Pavel Lots better. I was able to create and manage replicas but ipa-dns-install isn't working: # ipa-dns-install The log file for this installation can be found in /var/log/ipaserver-install.log == This program will setup DNS for the FreeIPA Server. This includes: * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: y Do you wish to configure DNS forwarders? [no]: No DNS forwarders configured Directory Manager password: Unexpected error - see ipaserver-install.log for details: 'API' object has no attribute 'env_host' Ouch, sorry about that. New patch attached. Pavel Still not working: root : CRITICAL Could not modify principal's krbprincipalname=DNS/lion.greyoak@greyoak.com,cn=services,cn=accounts,dc=greyoak,dc=com entry Unexpected error - see ipaserver-install.log for details: The backtrace is: File /usr/sbin/ipa-dns-install, line 172, in module sys.exit(main()) File /usr/sbin/ipa-dns-install, line 158, in main bind.create_instance() File /usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py, line 195, in create_instance self.start_creation(Configuring named:) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 237, in start_creation method() File /usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py, line 293, in __setup_principal raise e ('expected a string in the list', u'k') rob This is fixed in the ipa-dns-install patch I posted yesterday. I thought this wasn't caused by the changes made by the Use ldap2... patch. The problem here is that we call python-ldap with a unicode string. The string is generated from api.env constants that have become unicode a month or two ago. Anyway, I can always move the fix to this problem from the ipa-dns-install patch into this one. However I need to talk to Martin about the bindinstance.py file - I'll make sure to resolve this by the end of today. Pavel With the DNS patches also applied this seems to be working ok. pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
On 4/15/2010 8:18 PM, Rob Crittenden wrote: Pavel Zůna wrote: On 4/14/2010 4:35 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 03/30/2010 10:27 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 03/23/2010 09:40 PM, Rob Crittenden wrote: Pavel Zuna wrote: This is the first in a series of patches, that replace all the legacy code from v1 related to LDAP. I did some limited testing of the installer after this patch and nothing seems to break, but I didn't do replicas etc... Pavel nack. This breaks at least ipa-replica-manage, ipa-replica-prepare, ipa-server-certinstall and ipa-replica-install. rob Fixed patch attached. Pavel I'm not sure if you attached the wrong patch or not (it's dated 3/24) but things are still not working: # ipa-replica-install replica-info-tiger.example.com.gpg Directory Manager (existing master) password: creation of replica failed: 'Env' object has no attribute 'basedn' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. rob Sorry for a late reply. Here's a patch that should finally work. I did a lot more testing and setting up a replica went smoothly every time. Pavel Lots better. I was able to create and manage replicas but ipa-dns-install isn't working: # ipa-dns-install The log file for this installation can be found in /var/log/ipaserver-install.log == This program will setup DNS for the FreeIPA Server. This includes: * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: y Do you wish to configure DNS forwarders? [no]: No DNS forwarders configured Directory Manager password: Unexpected error - see ipaserver-install.log for details: 'API' object has no attribute 'env_host' Ouch, sorry about that. New patch attached. Pavel Still not working: root : CRITICAL Could not modify principal's krbprincipalname=DNS/lion.greyoak@greyoak.com,cn=services,cn=accounts,dc=greyoak,dc=com entry Unexpected error - see ipaserver-install.log for details: The backtrace is: File /usr/sbin/ipa-dns-install, line 172, in module sys.exit(main()) File /usr/sbin/ipa-dns-install, line 158, in main bind.create_instance() File /usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py, line 195, in create_instance self.start_creation(Configuring named:) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 237, in start_creation method() File /usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py, line 293, in __setup_principal raise e ('expected a string in the list', u'k') rob This is fixed in the ipa-dns-install patch I posted yesterday. I thought this wasn't caused by the changes made by the Use ldap2... patch. The problem here is that we call python-ldap with a unicode string. The string is generated from api.env constants that have become unicode a month or two ago. Anyway, I can always move the fix to this problem from the ipa-dns-install patch into this one. However I need to talk to Martin about the bindinstance.py file - I'll make sure to resolve this by the end of today. Pavel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
Pavel Zůna wrote: On 4/14/2010 4:35 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 03/30/2010 10:27 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 03/23/2010 09:40 PM, Rob Crittenden wrote: Pavel Zuna wrote: This is the first in a series of patches, that replace all the legacy code from v1 related to LDAP. I did some limited testing of the installer after this patch and nothing seems to break, but I didn't do replicas etc... Pavel nack. This breaks at least ipa-replica-manage, ipa-replica-prepare, ipa-server-certinstall and ipa-replica-install. rob Fixed patch attached. Pavel I'm not sure if you attached the wrong patch or not (it's dated 3/24) but things are still not working: # ipa-replica-install replica-info-tiger.example.com.gpg Directory Manager (existing master) password: creation of replica failed: 'Env' object has no attribute 'basedn' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. rob Sorry for a late reply. Here's a patch that should finally work. I did a lot more testing and setting up a replica went smoothly every time. Pavel Lots better. I was able to create and manage replicas but ipa-dns-install isn't working: # ipa-dns-install The log file for this installation can be found in /var/log/ipaserver-install.log == This program will setup DNS for the FreeIPA Server. This includes: * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: y Do you wish to configure DNS forwarders? [no]: No DNS forwarders configured Directory Manager password: Unexpected error - see ipaserver-install.log for details: 'API' object has no attribute 'env_host' Ouch, sorry about that. New patch attached. Pavel Still not working: root: CRITICAL Could not modify principal's krbprincipalname=DNS/lion.greyoak@greyoak.com,cn=services,cn=accounts,dc=greyoak,dc=com entry Unexpected error - see ipaserver-install.log for details: The backtrace is: File /usr/sbin/ipa-dns-install, line 172, in module sys.exit(main()) File /usr/sbin/ipa-dns-install, line 158, in main bind.create_instance() File /usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py, line 195, in create_instance self.start_creation(Configuring named:) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 237, in start_creation method() File /usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py, line 293, in __setup_principal raise e ('expected a string in the list', u'k') rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
On 4/14/2010 4:35 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 03/30/2010 10:27 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 03/23/2010 09:40 PM, Rob Crittenden wrote: Pavel Zuna wrote: This is the first in a series of patches, that replace all the legacy code from v1 related to LDAP. I did some limited testing of the installer after this patch and nothing seems to break, but I didn't do replicas etc... Pavel nack. This breaks at least ipa-replica-manage, ipa-replica-prepare, ipa-server-certinstall and ipa-replica-install. rob Fixed patch attached. Pavel I'm not sure if you attached the wrong patch or not (it's dated 3/24) but things are still not working: # ipa-replica-install replica-info-tiger.example.com.gpg Directory Manager (existing master) password: creation of replica failed: 'Env' object has no attribute 'basedn' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. rob Sorry for a late reply. Here's a patch that should finally work. I did a lot more testing and setting up a replica went smoothly every time. Pavel Lots better. I was able to create and manage replicas but ipa-dns-install isn't working: # ipa-dns-install The log file for this installation can be found in /var/log/ipaserver-install.log == This program will setup DNS for the FreeIPA Server. This includes: * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: y Do you wish to configure DNS forwarders? [no]: No DNS forwarders configured Directory Manager password: Unexpected error - see ipaserver-install.log for details: 'API' object has no attribute 'env_host' Ouch, sorry about that. New patch attached. Pavel From 6f1e71d1ad926b827d43c4dbcab768ecaa675389 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Wed, 24 Mar 2010 15:51:31 +0100 Subject: [PATCH] Use ldap2 instead of legacy LDAP code from v1 in installer scripts. --- install/tools/ipa-compat-manage | 38 ++-- install/tools/ipa-dns-install| 18 +- install/tools/ipa-fix-CVE-2008-3274 | 63 +++-- install/tools/ipa-ldap-updater |2 - install/tools/ipa-nis-manage | 44 +++ install/tools/ipa-replica-install| 22 ++-- install/tools/ipa-replica-manage |8 ++-- install/tools/ipa-replica-prepare| 33 - install/tools/ipa-server-certinstall | 18 - install/tools/ipa-server-install | 24 ++--- ipaserver/plugins/ldap2.py | 22 +--- 11 files changed, 144 insertions(+), 148 deletions(-) diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage index 09a06ca..b22ce77 100755 --- a/install/tools/ipa-compat-manage +++ b/install/tools/ipa-compat-manage @@ -22,12 +22,11 @@ import sys try: from optparse import OptionParser -from ipaserver import ipaldap from ipapython import entity, ipautil, config from ipaserver.install import installutils from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR +from ipaserver.plugins.ldap2 import ldap2 from ipalib import errors -import ldap import logging import re import krbV @@ -95,26 +94,29 @@ def main(): else: dirman_password = get_dirman_password() +conn = None try: +ldapuri = 'ldap://%s' % installutils.get_fqdn() try: -conn = ipaldap.IPAdmin(installutils.get_fqdn()) -conn.do_simple_bind(bindpw=dirman_password) -except ldap.LDAPError, e: +conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='') +conn.connect( +bind_dn='cn=directory manager', bind_pw=dirman_password +) +except errors.LDAPError, e: print An error occurred while connecting to the server. -print %s % e[0]['desc'] +print e return 1 if args[0] == enable: try: -conn.getEntry(cn=Schema Compatibility,cn=plugins,cn=config, - ldap.SCOPE_BASE, (objectclass=*)) +conn.get_entry('cn=Schema Compatibility,cn=plugins,cn=config') print Plugin already Enabled retval = 2 except errors.NotFound: print Enabling plugin -except ldap.LDAPError, e: +except errors.LDAPError, e: print An error occurred while talking to the server. -print %s % e[0]['desc'] +print e retval = 1 if retval == 0: @@ -127,17 +129,15 @@ def main(): # Make a quick hack foir now, directly delete the entries by name, # In future we should add
Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
On 03/30/2010 10:27 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 03/23/2010 09:40 PM, Rob Crittenden wrote: Pavel Zuna wrote: This is the first in a series of patches, that replace all the legacy code from v1 related to LDAP. I did some limited testing of the installer after this patch and nothing seems to break, but I didn't do replicas etc... Pavel nack. This breaks at least ipa-replica-manage, ipa-replica-prepare, ipa-server-certinstall and ipa-replica-install. rob Fixed patch attached. Pavel I'm not sure if you attached the wrong patch or not (it's dated 3/24) but things are still not working: # ipa-replica-install replica-info-tiger.example.com.gpg Directory Manager (existing master) password: creation of replica failed: 'Env' object has no attribute 'basedn' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. rob Sorry for a late reply. Here's a patch that should finally work. I did a lot more testing and setting up a replica went smoothly every time. Pavel 0001-Use-ldap2-instead-of-legacy-LDAP-code-from-v1-in-ins.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
On 03/23/2010 09:40 PM, Rob Crittenden wrote: Pavel Zuna wrote: This is the first in a series of patches, that replace all the legacy code from v1 related to LDAP. I did some limited testing of the installer after this patch and nothing seems to break, but I didn't do replicas etc... Pavel nack. This breaks at least ipa-replica-manage, ipa-replica-prepare, ipa-server-certinstall and ipa-replica-install. rob Fixed patch attached. Pavel 0001-Use-ldap2-instead-of-legacy-LDAP-code-from-v1-in-ins.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
Pavel Zuna wrote: This is the first in a series of patches, that replace all the legacy code from v1 related to LDAP. I did some limited testing of the installer after this patch and nothing seems to break, but I didn't do replicas etc... Pavel nack. This breaks at least ipa-replica-manage, ipa-replica-prepare, ipa-server-certinstall and ipa-replica-install. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
Pavel Zuna wrote: This is the first in a series of patches, that replace all the legacy code from v1 related to LDAP. I did some limited testing of the installer after this patch and nothing seems to break, but I didn't do replicas etc... Pavel A couple of comments: - We return ACIError when a bind fails? Seems like we should throw some other exception in this case. - In ipa-fix-CVE-2008-3274 (which as an aside I'm not sure we need to carry to IPAv2) you may need to change the reference to ipapython.config.config.default_server[0]. I'm not sure this is going to do the right thin. - Is the mod from ipa-fix-CVE-2008-3274 going to do a delete/add or a replace? I think it needs to be a replace so this attribute may need to be added to the replace exception list. I think it might be covered because we are doing just one operation on it. - In ipa-server-install you added an import for ipalib.util but it doesn't seem to be used anywhere. None of these are show stoppers. I'll continue looking at the patch, this one is going to take a while to test out. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel