Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
Pavel Zůna wrote:
On 4/15/2010 8:18 PM, Rob Crittenden wrote:
Pavel Zůna wrote:
On 4/14/2010 4:35 PM, Rob Crittenden wrote:
Pavel Zuna wrote:
On 03/30/2010 10:27 PM, Rob Crittenden wrote:
Pavel Zuna wrote:
On 03/23/2010 09:40 PM, Rob Crittenden wrote:
Pavel Zuna wrote:
This is the first in a series of patches, that replace all the
legacy
code from v1 related to LDAP. I did some limited testing of the
installer after this patch and nothing seems to break, but I
didn't do
replicas etc...
Pavel
nack. This breaks at least ipa-replica-manage, ipa-replica-prepare,
ipa-server-certinstall and ipa-replica-install.
rob
Fixed patch attached.
Pavel
I'm not sure if you attached the wrong patch or not (it's dated 3/24)
but things are still not working:
# ipa-replica-install replica-info-tiger.example.com.gpg
Directory Manager (existing master) password:
creation of replica failed: 'Env' object has no attribute 'basedn'
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
rob
Sorry for a late reply. Here's a patch that should finally work. I did
a lot more testing and setting up a replica went smoothly every time.
Pavel
Lots better. I was able to create and manage replicas but
ipa-dns-install isn't working:
# ipa-dns-install
The log file for this installation can be found in
/var/log/ipaserver-install.log
==
This program will setup DNS for the FreeIPA Server.
This includes:
* Configure DNS (bind)
To accept the default shown in brackets, press the Enter key.
Existing BIND configuration detected, overwrite? [no]: y
Do you wish to configure DNS forwarders? [no]:
No DNS forwarders configured
Directory Manager password:
Unexpected error - see ipaserver-install.log for details:
'API' object has no attribute 'env_host'
Ouch, sorry about that. New patch attached.
Pavel
Still not working:
root : CRITICAL Could not modify principal's
krbprincipalname=DNS/lion.greyoak@greyoak.com,cn=services,cn=accounts,dc=greyoak,dc=com
entry
Unexpected error - see ipaserver-install.log for details:
The backtrace is:
File /usr/sbin/ipa-dns-install, line 172, in module
sys.exit(main())
File /usr/sbin/ipa-dns-install, line 158, in main
bind.create_instance()
File
/usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py,
line 195, in create_instance
self.start_creation(Configuring named:)
File /usr/lib/python2.6/site-packages/ipaserver/install/service.py,
line 237, in start_creation
method()
File
/usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py,
line 293, in __setup_principal
raise e
('expected a string in the list', u'k')
rob
This is fixed in the ipa-dns-install patch I posted yesterday. I thought
this wasn't caused by the changes made by the Use ldap2... patch.
The problem here is that we call python-ldap with a unicode string. The
string is generated from api.env constants that have become unicode a
month or two ago.
Anyway, I can always move the fix to this problem from the
ipa-dns-install patch into this one. However I need to talk to Martin
about the bindinstance.py file - I'll make sure to resolve this by the
end of today.
Pavel
With the DNS patches also applied this seems to be working ok.
pushed to master
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
On 4/15/2010 8:18 PM, Rob Crittenden wrote:
Pavel Zůna wrote:
On 4/14/2010 4:35 PM, Rob Crittenden wrote:
Pavel Zuna wrote:
On 03/30/2010 10:27 PM, Rob Crittenden wrote:
Pavel Zuna wrote:
On 03/23/2010 09:40 PM, Rob Crittenden wrote:
Pavel Zuna wrote:
This is the first in a series of patches, that replace all the
legacy
code from v1 related to LDAP. I did some limited testing of the
installer after this patch and nothing seems to break, but I
didn't do
replicas etc...
Pavel
nack. This breaks at least ipa-replica-manage, ipa-replica-prepare,
ipa-server-certinstall and ipa-replica-install.
rob
Fixed patch attached.
Pavel
I'm not sure if you attached the wrong patch or not (it's dated 3/24)
but things are still not working:
# ipa-replica-install replica-info-tiger.example.com.gpg
Directory Manager (existing master) password:
creation of replica failed: 'Env' object has no attribute 'basedn'
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
rob
Sorry for a late reply. Here's a patch that should finally work. I did
a lot more testing and setting up a replica went smoothly every time.
Pavel
Lots better. I was able to create and manage replicas but
ipa-dns-install isn't working:
# ipa-dns-install
The log file for this installation can be found in
/var/log/ipaserver-install.log
==
This program will setup DNS for the FreeIPA Server.
This includes:
* Configure DNS (bind)
To accept the default shown in brackets, press the Enter key.
Existing BIND configuration detected, overwrite? [no]: y
Do you wish to configure DNS forwarders? [no]:
No DNS forwarders configured
Directory Manager password:
Unexpected error - see ipaserver-install.log for details:
'API' object has no attribute 'env_host'
Ouch, sorry about that. New patch attached.
Pavel
Still not working:
root : CRITICAL Could not modify principal's
krbprincipalname=DNS/lion.greyoak@greyoak.com,cn=services,cn=accounts,dc=greyoak,dc=com
entry
Unexpected error - see ipaserver-install.log for details:
The backtrace is:
File /usr/sbin/ipa-dns-install, line 172, in module
sys.exit(main())
File /usr/sbin/ipa-dns-install, line 158, in main
bind.create_instance()
File
/usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py,
line 195, in create_instance
self.start_creation(Configuring named:)
File /usr/lib/python2.6/site-packages/ipaserver/install/service.py,
line 237, in start_creation
method()
File
/usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py,
line 293, in __setup_principal
raise e
('expected a string in the list', u'k')
rob
This is fixed in the ipa-dns-install patch I posted yesterday. I thought
this wasn't caused by the changes made by the Use ldap2... patch.
The problem here is that we call python-ldap with a unicode string. The
string is generated from api.env constants that have become unicode a
month or two ago.
Anyway, I can always move the fix to this problem from the
ipa-dns-install patch into this one. However I need to talk to Martin
about the bindinstance.py file - I'll make sure to resolve this by the
end of today.
Pavel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
Pavel Zůna wrote:
On 4/14/2010 4:35 PM, Rob Crittenden wrote:
Pavel Zuna wrote:
On 03/30/2010 10:27 PM, Rob Crittenden wrote:
Pavel Zuna wrote:
On 03/23/2010 09:40 PM, Rob Crittenden wrote:
Pavel Zuna wrote:
This is the first in a series of patches, that replace all the
legacy
code from v1 related to LDAP. I did some limited testing of the
installer after this patch and nothing seems to break, but I
didn't do
replicas etc...
Pavel
nack. This breaks at least ipa-replica-manage, ipa-replica-prepare,
ipa-server-certinstall and ipa-replica-install.
rob
Fixed patch attached.
Pavel
I'm not sure if you attached the wrong patch or not (it's dated 3/24)
but things are still not working:
# ipa-replica-install replica-info-tiger.example.com.gpg
Directory Manager (existing master) password:
creation of replica failed: 'Env' object has no attribute 'basedn'
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
rob
Sorry for a late reply. Here's a patch that should finally work. I did
a lot more testing and setting up a replica went smoothly every time.
Pavel
Lots better. I was able to create and manage replicas but
ipa-dns-install isn't working:
# ipa-dns-install
The log file for this installation can be found in
/var/log/ipaserver-install.log
==
This program will setup DNS for the FreeIPA Server.
This includes:
* Configure DNS (bind)
To accept the default shown in brackets, press the Enter key.
Existing BIND configuration detected, overwrite? [no]: y
Do you wish to configure DNS forwarders? [no]:
No DNS forwarders configured
Directory Manager password:
Unexpected error - see ipaserver-install.log for details:
'API' object has no attribute 'env_host'
Ouch, sorry about that. New patch attached.
Pavel
Still not working:
root: CRITICAL Could not modify principal's
krbprincipalname=DNS/lion.greyoak@greyoak.com,cn=services,cn=accounts,dc=greyoak,dc=com
entry
Unexpected error - see ipaserver-install.log for details:
The backtrace is:
File /usr/sbin/ipa-dns-install, line 172, in module
sys.exit(main())
File /usr/sbin/ipa-dns-install, line 158, in main
bind.create_instance()
File
/usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py,
line 195, in create_instance
self.start_creation(Configuring named:)
File /usr/lib/python2.6/site-packages/ipaserver/install/service.py,
line 237, in start_creation
method()
File
/usr/lib/python2.6/site-packages/ipaserver/install/bindinstance.py,
line 293, in __setup_principal
raise e
('expected a string in the list', u'k')
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
On 4/14/2010 4:35 PM, Rob Crittenden wrote:
Pavel Zuna wrote:
On 03/30/2010 10:27 PM, Rob Crittenden wrote:
Pavel Zuna wrote:
On 03/23/2010 09:40 PM, Rob Crittenden wrote:
Pavel Zuna wrote:
This is the first in a series of patches, that replace all the legacy
code from v1 related to LDAP. I did some limited testing of the
installer after this patch and nothing seems to break, but I
didn't do
replicas etc...
Pavel
nack. This breaks at least ipa-replica-manage, ipa-replica-prepare,
ipa-server-certinstall and ipa-replica-install.
rob
Fixed patch attached.
Pavel
I'm not sure if you attached the wrong patch or not (it's dated 3/24)
but things are still not working:
# ipa-replica-install replica-info-tiger.example.com.gpg
Directory Manager (existing master) password:
creation of replica failed: 'Env' object has no attribute 'basedn'
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
rob
Sorry for a late reply. Here's a patch that should finally work. I did
a lot more testing and setting up a replica went smoothly every time.
Pavel
Lots better. I was able to create and manage replicas but
ipa-dns-install isn't working:
# ipa-dns-install
The log file for this installation can be found in
/var/log/ipaserver-install.log
==
This program will setup DNS for the FreeIPA Server.
This includes:
* Configure DNS (bind)
To accept the default shown in brackets, press the Enter key.
Existing BIND configuration detected, overwrite? [no]: y
Do you wish to configure DNS forwarders? [no]:
No DNS forwarders configured
Directory Manager password:
Unexpected error - see ipaserver-install.log for details:
'API' object has no attribute 'env_host'
Ouch, sorry about that. New patch attached.
Pavel
From 6f1e71d1ad926b827d43c4dbcab768ecaa675389 Mon Sep 17 00:00:00 2001
From: Pavel Zuna pz...@redhat.com
Date: Wed, 24 Mar 2010 15:51:31 +0100
Subject: [PATCH] Use ldap2 instead of legacy LDAP code from v1 in installer
scripts.
---
install/tools/ipa-compat-manage | 38 ++--
install/tools/ipa-dns-install| 18 +-
install/tools/ipa-fix-CVE-2008-3274 | 63 +++--
install/tools/ipa-ldap-updater |2 -
install/tools/ipa-nis-manage | 44 +++
install/tools/ipa-replica-install| 22 ++--
install/tools/ipa-replica-manage |8 ++--
install/tools/ipa-replica-prepare| 33 -
install/tools/ipa-server-certinstall | 18 -
install/tools/ipa-server-install | 24 ++---
ipaserver/plugins/ldap2.py | 22 +---
11 files changed, 144 insertions(+), 148 deletions(-)
diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage
index 09a06ca..b22ce77 100755
--- a/install/tools/ipa-compat-manage
+++ b/install/tools/ipa-compat-manage
@@ -22,12 +22,11 @@
import sys
try:
from optparse import OptionParser
-from ipaserver import ipaldap
from ipapython import entity, ipautil, config
from ipaserver.install import installutils
from ipaserver.install.ldapupdate import LDAPUpdate, BadSyntax, UPDATES_DIR
+from ipaserver.plugins.ldap2 import ldap2
from ipalib import errors
-import ldap
import logging
import re
import krbV
@@ -95,26 +94,29 @@ def main():
else:
dirman_password = get_dirman_password()
+conn = None
try:
+ldapuri = 'ldap://%s' % installutils.get_fqdn()
try:
-conn = ipaldap.IPAdmin(installutils.get_fqdn())
-conn.do_simple_bind(bindpw=dirman_password)
-except ldap.LDAPError, e:
+conn = ldap2(shared_instance=False, ldap_uri=ldapuri, base_dn='')
+conn.connect(
+bind_dn='cn=directory manager', bind_pw=dirman_password
+)
+except errors.LDAPError, e:
print An error occurred while connecting to the server.
-print %s % e[0]['desc']
+print e
return 1
if args[0] == enable:
try:
-conn.getEntry(cn=Schema Compatibility,cn=plugins,cn=config,
- ldap.SCOPE_BASE, (objectclass=*))
+conn.get_entry('cn=Schema Compatibility,cn=plugins,cn=config')
print Plugin already Enabled
retval = 2
except errors.NotFound:
print Enabling plugin
-except ldap.LDAPError, e:
+except errors.LDAPError, e:
print An error occurred while talking to the server.
-print %s % e[0]['desc']
+print e
retval = 1
if retval == 0:
@@ -127,17 +129,15 @@ def main():
# Make a quick hack foir now, directly delete the entries by name,
# In future we should add
Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
On 03/30/2010 10:27 PM, Rob Crittenden wrote: Pavel Zuna wrote: On 03/23/2010 09:40 PM, Rob Crittenden wrote: Pavel Zuna wrote: This is the first in a series of patches, that replace all the legacy code from v1 related to LDAP. I did some limited testing of the installer after this patch and nothing seems to break, but I didn't do replicas etc... Pavel nack. This breaks at least ipa-replica-manage, ipa-replica-prepare, ipa-server-certinstall and ipa-replica-install. rob Fixed patch attached. Pavel I'm not sure if you attached the wrong patch or not (it's dated 3/24) but things are still not working: # ipa-replica-install replica-info-tiger.example.com.gpg Directory Manager (existing master) password: creation of replica failed: 'Env' object has no attribute 'basedn' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. rob Sorry for a late reply. Here's a patch that should finally work. I did a lot more testing and setting up a replica went smoothly every time. Pavel 0001-Use-ldap2-instead-of-legacy-LDAP-code-from-v1-in-ins.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
On 03/23/2010 09:40 PM, Rob Crittenden wrote: Pavel Zuna wrote: This is the first in a series of patches, that replace all the legacy code from v1 related to LDAP. I did some limited testing of the installer after this patch and nothing seems to break, but I didn't do replicas etc... Pavel nack. This breaks at least ipa-replica-manage, ipa-replica-prepare, ipa-server-certinstall and ipa-replica-install. rob Fixed patch attached. Pavel 0001-Use-ldap2-instead-of-legacy-LDAP-code-from-v1-in-ins.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
Pavel Zuna wrote: This is the first in a series of patches, that replace all the legacy code from v1 related to LDAP. I did some limited testing of the installer after this patch and nothing seems to break, but I didn't do replicas etc... Pavel nack. This breaks at least ipa-replica-manage, ipa-replica-prepare, ipa-server-certinstall and ipa-replica-install. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Use ldap2 instead of legacy LDAP code from v1 in installer scripts.
Pavel Zuna wrote: This is the first in a series of patches, that replace all the legacy code from v1 related to LDAP. I did some limited testing of the installer after this patch and nothing seems to break, but I didn't do replicas etc... Pavel A couple of comments: - We return ACIError when a bind fails? Seems like we should throw some other exception in this case. - In ipa-fix-CVE-2008-3274 (which as an aside I'm not sure we need to carry to IPAv2) you may need to change the reference to ipapython.config.config.default_server[0]. I'm not sure this is going to do the right thin. - Is the mod from ipa-fix-CVE-2008-3274 going to do a delete/add or a replace? I think it needs to be a replace so this attribute may need to be added to the replace exception list. I think it might be covered because we are doing just one operation on it. - In ipa-server-install you added an import for ipalib.util but it doesn't seem to be used anywhere. None of these are show stoppers. I'll continue looking at the patch, this one is going to take a while to test out. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
