Re: [Freeipa-users] QA:Testcase freeipav3 automount
On 05/25/2013 08:01 PM, Dmitri Pal wrote: On 05/25/2013 11:07 AM, Dean Hunter wrote: A couple of months ago I found in the Test Day pages of the Fedora Project Wiki a wealth of How to instructions in the prerequisites and the test cases. In my experience, reference manuals, man pages and help displays are useful for researching specific questions, but they are not usually task oriented. The Test Day pages are wonderfully task oriented. More recently using Google I found QA:Testcase freeipav3 automount, but discovered it was not linked to the 18 April test cases. I was wondering why? Is it because auto-mount is not a new feature in FreeIPA 3.2.0 and you were not asking for regression testing? Are there other pages that document regression tests? Are the instructions for auto-mount still valid? The specific page you are asking is linked to a previous test day. https://fedoraproject.org/wiki/Test_Day:2012-10-15_FreeIPA Exactly. In FreeIPA Fedora Test Days our main focus is on new features and as there were no changes in automount feature in FreeIPA 3.2.0 we did not include it in Fedora 19 test day page. Old test day pages are not guaranteed to function with most up-to-date FreeIPA version. Old features should be covered by information in User guide or FreeIPA.org wiki. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] user-custom script
Hi, A while back I got some help writing a python script who extends the user classes in ipalib to run a custom command when a user is added/modified/deleted. This has been working perfectly in our production environment for a few years now, until I upgraded to IPA 3.0 last week. The custom script is no longer executed. Did the libraries change since 2.2? The script sits in /usr/lib/python2.6/site-packages/ipalib/plugins/user-custom.py and looks like: # # Extension to provide user-customizable script when a user id added/modified/deleted # from ipapython import ipautil # Extend add from ipalib.plugins.user import user_add def script_post_add_callback(inst, ldap, dn, attrs_list, *keys, **options): inst.log.info('User added') if 'ipa_user_script' in inst.api.env: try: ipautil.run([inst.api.env.ipa_user_script,add, dn]) except: pass return dn user_add.register_post_callback(script_post_add_callback) # Extend delete from ipalib.plugins.user import user_del def script_post_del_callback(inst, ldap, dn, attrs_list, *keys, **options): inst.log.info('User deleted') if 'ipa_user_script' in inst.api.env: try: ipautil.run([inst.api.env.ipa_user_script,del, dn]) except: pass return dn user_del.register_post_callback(script_post_del_callback) # Extend modify from ipalib.plugins.user import user_mod def script_post_mod_callback(inst, ldap, dn, attrs_list, *keys, **options): inst.log.info('User modified') if 'ipa_user_script' in inst.api.env: try: ipautil.run([inst.api.env.ipa_user_script,mod, dn]) except: pass return dn user_mod.register_post_callback(script_post_mod_callback) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] user-custom script
On 05/27/2013 12:50 PM, Sigbjorn Lie wrote: Hi, A while back I got some help writing a python script who extends the user classes in ipalib to run a custom command when a user is added/modified/deleted. This has been working perfectly in our production environment for a few years now, until I upgraded to IPA 3.0 last week. The custom script is no longer executed. Did the libraries change since 2.2? The script sits in /usr/lib/python2.6/site-packages/ipalib/plugins/user-custom.py and looks like: # # Extension to provide user-customizable script when a user id added/modified/deleted # from ipapython import ipautil # Extend add from ipalib.plugins.user import user_add def script_post_add_callback(inst, ldap, dn, attrs_list, *keys, **options): inst.log.info('User added') if 'ipa_user_script' in inst.api.env: try: ipautil.run([inst.api.env.ipa_user_script,add, dn]) except: pass return dn user_add.register_post_callback(script_post_add_callback) # Extend delete from ipalib.plugins.user import user_del def script_post_del_callback(inst, ldap, dn, attrs_list, *keys, **options): inst.log.info('User deleted') if 'ipa_user_script' in inst.api.env: try: ipautil.run([inst.api.env.ipa_user_script,del, dn]) except: pass return dn user_del.register_post_callback(script_post_del_callback) # Extend modify from ipalib.plugins.user import user_mod def script_post_mod_callback(inst, ldap, dn, attrs_list, *keys, **options): inst.log.info('User modified') if 'ipa_user_script' in inst.api.env: try: ipautil.run([inst.api.env.ipa_user_script,mod, dn]) except: pass return dn user_mod.register_post_callback(script_post_mod_callback) Hello Signbjorn, There were changes related to callback registration in 3.0: https://fedorahosted.org/freeipa/ticket/2674 Adding Petr Viktorin to CC to advise how to fix this issue. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] user-custom script
On 05/27/2013 12:50 PM, Sigbjorn Lie wrote: Hi, A while back I got some help writing a python script who extends the user classes in ipalib to run a custom command when a user is added/modified/deleted. This has been working perfectly in our production environment for a few years now, until I upgraded to IPA 3.0 last week. The custom script is no longer executed. Did the libraries change since 2.2? Hello, Yes, IPA did change, though not in the callback registration API. See comment below. The script sits in /usr/lib/python2.6/site-packages/ipalib/plugins/user-custom.py and looks like: # # Extension to provide user-customizable script when a user id added/modified/deleted # from ipapython import ipautil # Extend add from ipalib.plugins.user import user_add def script_post_add_callback(inst, ldap, dn, attrs_list, *keys, **options): inst.log.info('User added') if 'ipa_user_script' in inst.api.env: try: ipautil.run([inst.api.env.ipa_user_script,add, dn]) except: pass First of all, you can add better logging so you can diagnose errors more easily, e.g.: try: ipautil.run([inst.api.env.ipa_user_script,add, dn]) except Exception, e: inst.log.error(ipa_user_script: Exception: %s, e) With this change, I can see the following line in the server log: ipa: ERROR: ipa_user_script: Exception: sequence item 2: expected string or Unicode, DN found The error is due to DN refactoring (https://fedorahosted.org/freeipa/ticket/1670). All DNs throughout IPA are now represented by DN objects. To use them as strings you need to convert them explicitly: ipautil.run([inst.api.env.ipa_user_script, add, str(dn)]) The same change is needed in the other three cases. The modified code should still work under IPA 2.2. Let me know if you're having more trouble. return dn user_add.register_post_callback(script_post_add_callback) # Extend delete from ipalib.plugins.user import user_del def script_post_del_callback(inst, ldap, dn, attrs_list, *keys, **options): inst.log.info('User deleted') if 'ipa_user_script' in inst.api.env: try: ipautil.run([inst.api.env.ipa_user_script,del, dn]) except: pass return dn user_del.register_post_callback(script_post_del_callback) # Extend modify from ipalib.plugins.user import user_mod def script_post_mod_callback(inst, ldap, dn, attrs_list, *keys, **options): inst.log.info('User modified') if 'ipa_user_script' in inst.api.env: try: ipautil.run([inst.api.env.ipa_user_script,mod, dn]) except: pass return dn user_mod.register_post_callback(script_post_mod_callback) -- PetrĀ³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Authenticating Apache through FreeIPA
Hello, This seem well documented, but I can't seem to get it working. Not sure what I am missing.. I will try go over it and hopefully someone may notice why I am failing I got a system enrolled to IPA and its running httpd-2.2.15-28.el6.centos.x86_64 mod_auth_kerb-5.4-9.el6.x86_64 mod_authnz_external-3.2.6-1.el6.x86_64 I initially tried to authenticate against LDAP directly, but it didn't work at all. I believe FreeIPA only use LDAP for authorization and Kerberos for authentication.. Is this observation correct? I mean, can one deal with LDAP directly i this setup. For Kerbero, went to the IPA server and generated a key tab [root@ipa1-yyz-int wmuriithi]# kinit admin Password for ad...@example.loc: [root@ipa1-yyz-int wmuriithi]# ipa service-add HTTP/git1.example@example.loc --- Added service HTTP/git1.example@example.loc --- Principal: HTTP/git1.example@example.loc Managed by: git1.example.com [root@ipa1-yyz-int wmuriithi]# ipa-getkeytab -s ipa1-yyz-int.example.loc -p HTTP/git1.example.com -k /tmp/httpd.keytab Keytab successfully retrieved and stored in: /tmp/httpd.keytab [root@ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab root@10.10.10.50: /etc/httpd/conf/ The authenticity of host '10.10.10.50 (no hostip for proxy command)' can't be established. RSA key fingerprint is cc:83:9c:95:bf:c6:a0:a4:a0:0a:dd:5a:85:85:bf:1e. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.10.10.50' (RSA) to the list of known hosts. root@10.10.10.50's password: [root@ipa1-yyz-int wmuriithi]# scp /tmp/httpd.keytab root@10.10.10.50: /etc/httpd/conf/ Then from the IPA client 10.10.10.50, I have this basic change, the bottom part is the only pertinent section but posted the whole file in case I have done something silly somewhere else. VirtualHost *:80 ServerNamegit1.example.com ServerAlias git DocumentRoot /var/www/git Directory /var/www/git Options None AllowOverride none Order allow,deny Allow from all /Directory SuexecUserGroup gitolite3 gitolite3 # Set up appropriate GIT environments SetEnv GIT_PROJECT_ROOT /var/lib/gitolite3/repositories SetEnv GIT_HTTP_EXPORT_ALL SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER # Set up appropriate gitolite environments SetEnv GITOLITE_HTTP_HOME /var/lib/gitolite3 ScriptAlias /git/ /var/www/bin/gitolite-suexec-wrapper.sh/ ScriptAlias /gitmob/ /var/www/bin/gitolite-suexec-wrapper.sh/ Location /git # SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms EXAMPLE.LOC Krb5KeyTab /etc/httpd/conf/httpd.keytab require valid-user /Location /VirtualHost When I test it with a browser, I get the following error [Mon May 27 12:55:18 2013] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 configured -- resuming normal operations [Mon May 27 12:55:38 2013] [error] [client 10.10.10.231] user william: authentication failure for /git: Password Mismatch I can ssh in to the server with the same account password, so log in details should be fine. All I want to achieve is basic authentication, but I seem to be missing something, Any pointers? Regards, William ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users