Re: [Freeipa-users] FreeIPA + Ipsilon
Hi,
thanks for the reply, with Cherrypy 3.2.2 it works. Unfortunately now when
I try to login with 'admin' account ('admin' user created previously during
the installation of ipa-server) I can't see the Administration tab.
Basically this condition (in /usr/share/ipsilon/templates/index.html) is
not satisfied:
{% if user.is_admin %}
a href={{ basepath }}/admin id=adminAdministration/a |
{% endif %}
For ipsilon-server installation I run:
ipsilon-server-install --secure=no --ipa=yes --krb=yes
because I read that 'admin' is default.
When I login with 'admin' in IPA Identity Management it is all ok (I login
as administrator), with IPSILON I can login but not as administrator.
I used the last version of jinja2 (jinja2 2.7.2).
Log of ipsilon-server-install:
[2014-08-07 17:48:11,242] Intallation arguments:
[2014-08-07 17:48:11,242] admin_user: admin
[2014-08-07 17:48:11,242] config_profile: None
[2014-08-07 17:48:11,242] hostname: ltartari3.cern.ch
[2014-08-07 17:48:11,242] instance: idp
[2014-08-07 17:48:11,242] ipa: yes
[2014-08-07 17:48:11,243] krb: yes
[2014-08-07 17:48:11,243] krb_httpd_keytab: /etc/httpd/conf/http.keytab
[2014-08-07 17:48:11,243] krb_realms: None
[2014-08-07 17:48:11,243] lm_order: ['krb']
[2014-08-07 17:48:11,243] pam: no
[2014-08-07 17:48:11,243] pam_service: remote
[2014-08-07 17:48:11,243] saml2: yes
[2014-08-07 17:48:11,243] secure: no
[2014-08-07 17:48:11,243] server_debugging: False
[2014-08-07 17:48:11,244] system_user: ipsilon
[2014-08-07 17:48:11,244] testauth: no
[2014-08-07 17:48:11,244] uninstall: False
[2014-08-07 17:48:11,244] Installation initiated
[2014-08-07 17:48:11,244] Installing default config files
[2014-08-07 17:48:11,461] Configuring environment helpers
Searching for keytab in: /etc/httpd/conf/http.keytab ... Found!
Searching for keytab in: /etc/httpd/conf/ipa.keytab ... Found!
[2014-08-07 17:48:11,486] Configuring login managers
Cannot set persistent booleans without managed policy.
[2014-08-07 17:48:12,126] Configuring Authentication Providers
Generating a 2048 bit RSA private key
.+++
..+++
writing new private key to '/var/lib/ipsilon/idp/saml2/idp.key'
-
Installation complete.
Please restart HTTPD to enable the IdP instance.
Thanks in advance.
Luca Tartarini
2014-08-06 17:37 GMT+02:00 Simo Sorce sso...@redhat.com:
On Wed, 2014-08-06 at 17:20 +0200, Luca Tartarini wrote:
Hi,
Thanks for the replies. I updated the line with:
plugins_by_name = dict((p.name, p) for p in
self._site[FACILITY]['enabled'])
and it works (the installation is completed succesfully).
But now when I try to connect to:
https://myidp.example.com/idp
or I try to configure ipsilon-client (ipsilon-client-install ...) I got
HTTP 500 Internal Error (with ipsilon background). I put debug = True
in /etc/ipsilon/idp/ipsilon.conf and I got this (in
/var/log/httpd/error_log):
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Available
providers: ['saml2']
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp
storage path: /var/lib/ipsilon/idp/saml2
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp
metadata file: metadata.xml
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp
storage path: /var/lib/ipsilon/idp/saml2
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp
key
file: /var/lib/ipsilon/idp/saml2/idp.key
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp
storage path: /var/lib/ipsilon/idp/saml2
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp
certificate file: /var/lib/ipsilon/idp/saml2/idp.pem
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] IdP Provider
registered: saml2
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2]
enabled:
1
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] IdP Provider
enabled: saml2
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin login
plugin: krb
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin login
plugin: pam
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] username
text: Username
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] password
text: Password
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] service
name: remote
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] help
text:
Insert your Username and Password and then submit.
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin login
plugin: testauth
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [testauth]
username text: Username
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [testauth]
password text: Password
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [testauth]
help
text: Insert your Username and Password and then submit.
[Wed Aug
Re: [Freeipa-users] FreeIPA + Ipsilon
/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/lib/sessions.py,
line 268, in load
[Wed Aug 06 16:22:09 2014] [error] data = self._load()
[Wed Aug 06 16:22:09 2014] [error] File
/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/lib/sessions.py,
line 497, in _load
[Wed Aug 06 16:22:09 2014] [error] assert self.locked, (The session
load without being locked.
[Wed Aug 06 16:22:09 2014] [error] AssertionError: The session load without
being locked. Check your tools' priority levels.
[Wed Aug 06 16:22:09 2014] [error]
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] HTTP
[Wed Aug 06 16:22:09 2014] [error] Request Headers:
[Wed Aug 06 16:22:09 2014] [error] COOKIE:
__utma=203412483.1716219377.1393273532.1393273532.1398882487.2;
__utmz=203412483.1398882487.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
_ga=GA1.2.1716219377.1393273532;
session_id=0942ebacef3fbcf8f9b21605013b5dfa1454bc93
[Wed Aug 06 16:22:09 2014] [error] ACCEPT-LANGUAGE:
it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4,fr;q=0.2
[Wed Aug 06 16:22:09 2014] [error] USER-AGENT: Mozilla/5.0 (X11; Linux
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.132
Safari/537.36
[Wed Aug 06 16:22:09 2014] [error] CONNECTION: keep-alive
[Wed Aug 06 16:22:09 2014] [error] Remote-Addr: 128.141.28.32
[Wed Aug 06 16:22:09 2014] [error] HOST: ltartari3.cern.ch
[Wed Aug 06 16:22:09 2014] [error] CACHE-CONTROL: max-age=0
[Wed Aug 06 16:22:09 2014] [error] ACCEPT:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
[Wed Aug 06 16:22:09 2014] [error] ACCEPT-ENCODING: gzip,deflate,sdch
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] HTTP Traceback
(most recent call last):
[Wed Aug 06 16:22:09 2014] [error] File
/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/_cprequest.py,
line 667, in respond
[Wed Aug 06 16:22:09 2014] [error] self.hooks.run('before_handler')
[Wed Aug 06 16:22:09 2014] [error] File
/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/_cprequest.py,
line 114, in run
[Wed Aug 06 16:22:09 2014] [error] raise exc
[Wed Aug 06 16:22:09 2014] [error] AssertionError: The session load without
being locked. Check your tools' priority levels.
[Wed Aug 06 16:22:09 2014] [error]
[Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] ['500 Internal
Server Error', 'The server encountered an unexpected condition which
prevented it from fulfilling the request.', 'Traceback (most recent call
last):\\n File
/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/_cprequest.py,
line 667, in respond\\nself.hooks.run(\\'before_handler\\')\\n File
/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/_cprequest.py,
line 114, in run\\nraise exc\\nAssertionError: The session load without
being locked. Check your tools\\' priority levels.\\n', '3.5.0']
and obviously GET /idp/ HTTP/1.1 500 1054 in /var/log/httpd/access_log
Cherrypy bug?
Thanks.
Luca Tartarini
2014-08-05 20:33 GMT+02:00 Petr Viktorin pvikt...@redhat.com:
On 08/05/2014 07:48 PM, Simo Sorce wrote:
On Tue, 2014-08-05 at 17:47 +0200, Luca Tartarini wrote:
[...]
with HTTP 500 Internal Server Error (GET /idp HTTP/1.1 500 619)
The line is this one (in
/usr/lib/python2.6/site-packages/ipsilon/admin/login.py):
plugins_by_name = {p.name: p for p in self._site[FACILITY]['enabled']}
Uhmm python 2.6, I think it does not support dict comprehension.
You can replace this line with:
dict([p.name, p for p in self._site[FACILITY]['enabled']])
dict((p.name, p) for p in self._site[FACILITY]['enabled'])
(You need the parens around (p.name, p))
--
Petrł
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + Ipsilon
Hi, thanks for the replies.
I am finally managed to install lasso correctly (without lasso-python) but
after the installation of ipsilon-server (ipsilon-server-install --ipa=yes
--secure=no) when I try to connet via browser to:
https://myidp.example.com/idp
I had this error:
[error] mod_wsgi (pid=22357): Target WSGI script '/usr/sbin/ipsilon' cannot
be loaded as Python module.
[error] mod_wsgi (pid=22357): Exception occurred processing WSGI script
'/usr/sbin/ipsilon'.
[error] Traceback (most recent call last):
[error] File /usr/sbin/ipsilon, line 28, in module
[error] from ipsilon.root import Root
[error] File /usr/lib/python2.6/site-packages/ipsilon/root.py, line 26,
in module
[error] from ipsilon.admin.login import LoginPlugins
[error] File /usr/lib/python2.6/site-packages/ipsilon/admin/login.py,
line 48
[error] plugins_by_name = {p.name: p for p in
self._site[FACILITY]['enabled']}
[error] ^
[error] SyntaxError: invalid syntax
with HTTP 500 Internal Server Error (GET /idp HTTP/1.1 500 619)
The line is this one (in
/usr/lib/python2.6/site-packages/ipsilon/admin/login.py):
plugins_by_name = {p.name: p for p in self._site[FACILITY]['enabled']}
The same thing if I try:
ipsilon-client-install --saml-idp-metadata
https://myidp.example.org/idp/saml2/metadata --debug
Thanks in advance.
Luca Tartarini
2014-07-31 13:11 GMT+02:00 Simo Sorce sso...@redhat.com:
On Thu, 2014-07-31 at 09:53 +0200, Luca Tartarini wrote:
Hi,
Thanks for the reply, unfortunately I can not find the package on
Scientific Linux, is there a workaround?
I saw from the lasso mailing list that you built the lasso package
yourself, make sure you built the python bindings, they are part of the
same source tree.
Attached find a .spec file you can use top build lasso on EL6 platforms,
until it will become available officially.
This will build and install the python binding correctly.
Simo.
Thanks.
Luca Tartarini
2014-07-30 15:00 GMT+02:00 Simo Sorce sso...@redhat.com:
On Tue, 2014-07-29 at 15:58 +0200, Martin Kosek wrote:
On 07/29/2014 03:47 PM, Luca Tartarini wrote:
Hi everyone,
I am new in FreeIPA, I am trying to configure FreeIPA with
Ipsilon. The
configuration is the following: Service Provider (host with
Scientific
Linux 6) with ipsilon-client and Identity Provider (another host
with
Scientific Linux 6) with FreeIPA and ipsilon-server, is the
configuration
feasible and/or correct?
If it is, then I am stuck in the installation of ipsilon-client
because
after I installed lasso-2.3.6 and all the ipsilon-client
prerequisites,
when I finally run:
ipsilon-client-install --saml-idp-metadata
https://myidp.example.org/idp/saml2/metadata --saml-auth /wiki
I get this error about lasso:
Traceback (most recent call last):
File /usr/bin/ipsilon-client-install, line 20, in module
from ipsilon.tools.saml2metadata import Metadata
File
/usr/lib/python2.6/site-packages/ipsilon/tools/saml2metadata.py,
line 22, in module
import lasso
File /usr/lib/python2.6/site-packages/lasso.py, line 3, in
module
import _lasso
ImportError: No module named _lasso
Does anyone know if it's a problem about lasso's configuration or I
forgot
something about ipsilon-client?
Thanks in advance.
Luca Tartarini
Not sure, _lasso.so should be provided by lasso-python package:
# rpm -qf /usr/lib64/python2.6/site-packages/_lasso.so
lasso-python-2.4.0-4.el6.x86_64
CCing Simo to advise.
Sounds like lasso-python is missing indeed.
Simo.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + Ipsilon
Hi, Thanks for the reply, unfortunately I can not find the package on Scientific Linux, is there a workaround? Thanks. Luca Tartarini 2014-07-30 15:00 GMT+02:00 Simo Sorce sso...@redhat.com: On Tue, 2014-07-29 at 15:58 +0200, Martin Kosek wrote: On 07/29/2014 03:47 PM, Luca Tartarini wrote: Hi everyone, I am new in FreeIPA, I am trying to configure FreeIPA with Ipsilon. The configuration is the following: Service Provider (host with Scientific Linux 6) with ipsilon-client and Identity Provider (another host with Scientific Linux 6) with FreeIPA and ipsilon-server, is the configuration feasible and/or correct? If it is, then I am stuck in the installation of ipsilon-client because after I installed lasso-2.3.6 and all the ipsilon-client prerequisites, when I finally run: ipsilon-client-install --saml-idp-metadata https://myidp.example.org/idp/saml2/metadata --saml-auth /wiki I get this error about lasso: Traceback (most recent call last): File /usr/bin/ipsilon-client-install, line 20, in module from ipsilon.tools.saml2metadata import Metadata File /usr/lib/python2.6/site-packages/ipsilon/tools/saml2metadata.py, line 22, in module import lasso File /usr/lib/python2.6/site-packages/lasso.py, line 3, in module import _lasso ImportError: No module named _lasso Does anyone know if it's a problem about lasso's configuration or I forgot something about ipsilon-client? Thanks in advance. Luca Tartarini Not sure, _lasso.so should be provided by lasso-python package: # rpm -qf /usr/lib64/python2.6/site-packages/_lasso.so lasso-python-2.4.0-4.el6.x86_64 CCing Simo to advise. Sounds like lasso-python is missing indeed. Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA + Ipsilon
Hi everyone, I am new in FreeIPA, I am trying to configure FreeIPA with Ipsilon. The configuration is the following: Service Provider (host with Scientific Linux 6) with ipsilon-client and Identity Provider (another host with Scientific Linux 6) with FreeIPA and ipsilon-server, is the configuration feasible and/or correct? If it is, then I am stuck in the installation of ipsilon-client because after I installed lasso-2.3.6 and all the ipsilon-client prerequisites, when I finally run: ipsilon-client-install --saml-idp-metadata https://myidp.example.org/idp/saml2/metadata --saml-auth /wiki I get this error about lasso: Traceback (most recent call last): File /usr/bin/ipsilon-client-install, line 20, in module from ipsilon.tools.saml2metadata import Metadata File /usr/lib/python2.6/site-packages/ipsilon/tools/saml2metadata.py, line 22, in module import lasso File /usr/lib/python2.6/site-packages/lasso.py, line 3, in module import _lasso ImportError: No module named _lasso Does anyone know if it's a problem about lasso's configuration or I forgot something about ipsilon-client? Thanks in advance. Luca Tartarini -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
