Re: [Freeipa-users] FreeIPA + Ipsilon
Hi, thanks for the reply, with Cherrypy 3.2.2 it works. Unfortunately now when I try to login with 'admin' account ('admin' user created previously during the installation of ipa-server) I can't see the Administration tab. Basically this condition (in /usr/share/ipsilon/templates/index.html) is not satisfied: {% if user.is_admin %} a href={{ basepath }}/admin id=adminAdministration/a | {% endif %} For ipsilon-server installation I run: ipsilon-server-install --secure=no --ipa=yes --krb=yes because I read that 'admin' is default. When I login with 'admin' in IPA Identity Management it is all ok (I login as administrator), with IPSILON I can login but not as administrator. I used the last version of jinja2 (jinja2 2.7.2). Log of ipsilon-server-install: [2014-08-07 17:48:11,242] Intallation arguments: [2014-08-07 17:48:11,242] admin_user: admin [2014-08-07 17:48:11,242] config_profile: None [2014-08-07 17:48:11,242] hostname: ltartari3.cern.ch [2014-08-07 17:48:11,242] instance: idp [2014-08-07 17:48:11,242] ipa: yes [2014-08-07 17:48:11,243] krb: yes [2014-08-07 17:48:11,243] krb_httpd_keytab: /etc/httpd/conf/http.keytab [2014-08-07 17:48:11,243] krb_realms: None [2014-08-07 17:48:11,243] lm_order: ['krb'] [2014-08-07 17:48:11,243] pam: no [2014-08-07 17:48:11,243] pam_service: remote [2014-08-07 17:48:11,243] saml2: yes [2014-08-07 17:48:11,243] secure: no [2014-08-07 17:48:11,243] server_debugging: False [2014-08-07 17:48:11,244] system_user: ipsilon [2014-08-07 17:48:11,244] testauth: no [2014-08-07 17:48:11,244] uninstall: False [2014-08-07 17:48:11,244] Installation initiated [2014-08-07 17:48:11,244] Installing default config files [2014-08-07 17:48:11,461] Configuring environment helpers Searching for keytab in: /etc/httpd/conf/http.keytab ... Found! Searching for keytab in: /etc/httpd/conf/ipa.keytab ... Found! [2014-08-07 17:48:11,486] Configuring login managers Cannot set persistent booleans without managed policy. [2014-08-07 17:48:12,126] Configuring Authentication Providers Generating a 2048 bit RSA private key .+++ ..+++ writing new private key to '/var/lib/ipsilon/idp/saml2/idp.key' - Installation complete. Please restart HTTPD to enable the IdP instance. Thanks in advance. Luca Tartarini 2014-08-06 17:37 GMT+02:00 Simo Sorce sso...@redhat.com: On Wed, 2014-08-06 at 17:20 +0200, Luca Tartarini wrote: Hi, Thanks for the replies. I updated the line with: plugins_by_name = dict((p.name, p) for p in self._site[FACILITY]['enabled']) and it works (the installation is completed succesfully). But now when I try to connect to: https://myidp.example.com/idp or I try to configure ipsilon-client (ipsilon-client-install ...) I got HTTP 500 Internal Error (with ipsilon background). I put debug = True in /etc/ipsilon/idp/ipsilon.conf and I got this (in /var/log/httpd/error_log): [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Available providers: ['saml2'] [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp storage path: /var/lib/ipsilon/idp/saml2 [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp metadata file: metadata.xml [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp storage path: /var/lib/ipsilon/idp/saml2 [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp key file: /var/lib/ipsilon/idp/saml2/idp.key [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp storage path: /var/lib/ipsilon/idp/saml2 [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp certificate file: /var/lib/ipsilon/idp/saml2/idp.pem [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] IdP Provider registered: saml2 [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] enabled: 1 [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] IdP Provider enabled: saml2 [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin login plugin: krb [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin login plugin: pam [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] username text: Username [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] password text: Password [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] service name: remote [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] help text: Insert your Username and Password and then submit. [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin login plugin: testauth [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [testauth] username text: Username [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [testauth] password text: Password [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [testauth] help text: Insert your Username and Password and then submit. [Wed Aug
Re: [Freeipa-users] FreeIPA + Ipsilon
/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/lib/sessions.py, line 268, in load [Wed Aug 06 16:22:09 2014] [error] data = self._load() [Wed Aug 06 16:22:09 2014] [error] File /usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/lib/sessions.py, line 497, in _load [Wed Aug 06 16:22:09 2014] [error] assert self.locked, (The session load without being locked. [Wed Aug 06 16:22:09 2014] [error] AssertionError: The session load without being locked. Check your tools' priority levels. [Wed Aug 06 16:22:09 2014] [error] [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] HTTP [Wed Aug 06 16:22:09 2014] [error] Request Headers: [Wed Aug 06 16:22:09 2014] [error] COOKIE: __utma=203412483.1716219377.1393273532.1393273532.1398882487.2; __utmz=203412483.1398882487.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); _ga=GA1.2.1716219377.1393273532; session_id=0942ebacef3fbcf8f9b21605013b5dfa1454bc93 [Wed Aug 06 16:22:09 2014] [error] ACCEPT-LANGUAGE: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4,fr;q=0.2 [Wed Aug 06 16:22:09 2014] [error] USER-AGENT: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.132 Safari/537.36 [Wed Aug 06 16:22:09 2014] [error] CONNECTION: keep-alive [Wed Aug 06 16:22:09 2014] [error] Remote-Addr: 128.141.28.32 [Wed Aug 06 16:22:09 2014] [error] HOST: ltartari3.cern.ch [Wed Aug 06 16:22:09 2014] [error] CACHE-CONTROL: max-age=0 [Wed Aug 06 16:22:09 2014] [error] ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 [Wed Aug 06 16:22:09 2014] [error] ACCEPT-ENCODING: gzip,deflate,sdch [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] HTTP Traceback (most recent call last): [Wed Aug 06 16:22:09 2014] [error] File /usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/_cprequest.py, line 667, in respond [Wed Aug 06 16:22:09 2014] [error] self.hooks.run('before_handler') [Wed Aug 06 16:22:09 2014] [error] File /usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/_cprequest.py, line 114, in run [Wed Aug 06 16:22:09 2014] [error] raise exc [Wed Aug 06 16:22:09 2014] [error] AssertionError: The session load without being locked. Check your tools' priority levels. [Wed Aug 06 16:22:09 2014] [error] [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] ['500 Internal Server Error', 'The server encountered an unexpected condition which prevented it from fulfilling the request.', 'Traceback (most recent call last):\\n File /usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/_cprequest.py, line 667, in respond\\nself.hooks.run(\\'before_handler\\')\\n File /usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/_cprequest.py, line 114, in run\\nraise exc\\nAssertionError: The session load without being locked. Check your tools\\' priority levels.\\n', '3.5.0'] and obviously GET /idp/ HTTP/1.1 500 1054 in /var/log/httpd/access_log Cherrypy bug? Thanks. Luca Tartarini 2014-08-05 20:33 GMT+02:00 Petr Viktorin pvikt...@redhat.com: On 08/05/2014 07:48 PM, Simo Sorce wrote: On Tue, 2014-08-05 at 17:47 +0200, Luca Tartarini wrote: [...] with HTTP 500 Internal Server Error (GET /idp HTTP/1.1 500 619) The line is this one (in /usr/lib/python2.6/site-packages/ipsilon/admin/login.py): plugins_by_name = {p.name: p for p in self._site[FACILITY]['enabled']} Uhmm python 2.6, I think it does not support dict comprehension. You can replace this line with: dict([p.name, p for p in self._site[FACILITY]['enabled']]) dict((p.name, p) for p in self._site[FACILITY]['enabled']) (You need the parens around (p.name, p)) -- Petrł -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + Ipsilon
Hi, thanks for the replies. I am finally managed to install lasso correctly (without lasso-python) but after the installation of ipsilon-server (ipsilon-server-install --ipa=yes --secure=no) when I try to connet via browser to: https://myidp.example.com/idp I had this error: [error] mod_wsgi (pid=22357): Target WSGI script '/usr/sbin/ipsilon' cannot be loaded as Python module. [error] mod_wsgi (pid=22357): Exception occurred processing WSGI script '/usr/sbin/ipsilon'. [error] Traceback (most recent call last): [error] File /usr/sbin/ipsilon, line 28, in module [error] from ipsilon.root import Root [error] File /usr/lib/python2.6/site-packages/ipsilon/root.py, line 26, in module [error] from ipsilon.admin.login import LoginPlugins [error] File /usr/lib/python2.6/site-packages/ipsilon/admin/login.py, line 48 [error] plugins_by_name = {p.name: p for p in self._site[FACILITY]['enabled']} [error] ^ [error] SyntaxError: invalid syntax with HTTP 500 Internal Server Error (GET /idp HTTP/1.1 500 619) The line is this one (in /usr/lib/python2.6/site-packages/ipsilon/admin/login.py): plugins_by_name = {p.name: p for p in self._site[FACILITY]['enabled']} The same thing if I try: ipsilon-client-install --saml-idp-metadata https://myidp.example.org/idp/saml2/metadata --debug Thanks in advance. Luca Tartarini 2014-07-31 13:11 GMT+02:00 Simo Sorce sso...@redhat.com: On Thu, 2014-07-31 at 09:53 +0200, Luca Tartarini wrote: Hi, Thanks for the reply, unfortunately I can not find the package on Scientific Linux, is there a workaround? I saw from the lasso mailing list that you built the lasso package yourself, make sure you built the python bindings, they are part of the same source tree. Attached find a .spec file you can use top build lasso on EL6 platforms, until it will become available officially. This will build and install the python binding correctly. Simo. Thanks. Luca Tartarini 2014-07-30 15:00 GMT+02:00 Simo Sorce sso...@redhat.com: On Tue, 2014-07-29 at 15:58 +0200, Martin Kosek wrote: On 07/29/2014 03:47 PM, Luca Tartarini wrote: Hi everyone, I am new in FreeIPA, I am trying to configure FreeIPA with Ipsilon. The configuration is the following: Service Provider (host with Scientific Linux 6) with ipsilon-client and Identity Provider (another host with Scientific Linux 6) with FreeIPA and ipsilon-server, is the configuration feasible and/or correct? If it is, then I am stuck in the installation of ipsilon-client because after I installed lasso-2.3.6 and all the ipsilon-client prerequisites, when I finally run: ipsilon-client-install --saml-idp-metadata https://myidp.example.org/idp/saml2/metadata --saml-auth /wiki I get this error about lasso: Traceback (most recent call last): File /usr/bin/ipsilon-client-install, line 20, in module from ipsilon.tools.saml2metadata import Metadata File /usr/lib/python2.6/site-packages/ipsilon/tools/saml2metadata.py, line 22, in module import lasso File /usr/lib/python2.6/site-packages/lasso.py, line 3, in module import _lasso ImportError: No module named _lasso Does anyone know if it's a problem about lasso's configuration or I forgot something about ipsilon-client? Thanks in advance. Luca Tartarini Not sure, _lasso.so should be provided by lasso-python package: # rpm -qf /usr/lib64/python2.6/site-packages/_lasso.so lasso-python-2.4.0-4.el6.x86_64 CCing Simo to advise. Sounds like lasso-python is missing indeed. Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + Ipsilon
Hi, Thanks for the reply, unfortunately I can not find the package on Scientific Linux, is there a workaround? Thanks. Luca Tartarini 2014-07-30 15:00 GMT+02:00 Simo Sorce sso...@redhat.com: On Tue, 2014-07-29 at 15:58 +0200, Martin Kosek wrote: On 07/29/2014 03:47 PM, Luca Tartarini wrote: Hi everyone, I am new in FreeIPA, I am trying to configure FreeIPA with Ipsilon. The configuration is the following: Service Provider (host with Scientific Linux 6) with ipsilon-client and Identity Provider (another host with Scientific Linux 6) with FreeIPA and ipsilon-server, is the configuration feasible and/or correct? If it is, then I am stuck in the installation of ipsilon-client because after I installed lasso-2.3.6 and all the ipsilon-client prerequisites, when I finally run: ipsilon-client-install --saml-idp-metadata https://myidp.example.org/idp/saml2/metadata --saml-auth /wiki I get this error about lasso: Traceback (most recent call last): File /usr/bin/ipsilon-client-install, line 20, in module from ipsilon.tools.saml2metadata import Metadata File /usr/lib/python2.6/site-packages/ipsilon/tools/saml2metadata.py, line 22, in module import lasso File /usr/lib/python2.6/site-packages/lasso.py, line 3, in module import _lasso ImportError: No module named _lasso Does anyone know if it's a problem about lasso's configuration or I forgot something about ipsilon-client? Thanks in advance. Luca Tartarini Not sure, _lasso.so should be provided by lasso-python package: # rpm -qf /usr/lib64/python2.6/site-packages/_lasso.so lasso-python-2.4.0-4.el6.x86_64 CCing Simo to advise. Sounds like lasso-python is missing indeed. Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA + Ipsilon
Hi everyone, I am new in FreeIPA, I am trying to configure FreeIPA with Ipsilon. The configuration is the following: Service Provider (host with Scientific Linux 6) with ipsilon-client and Identity Provider (another host with Scientific Linux 6) with FreeIPA and ipsilon-server, is the configuration feasible and/or correct? If it is, then I am stuck in the installation of ipsilon-client because after I installed lasso-2.3.6 and all the ipsilon-client prerequisites, when I finally run: ipsilon-client-install --saml-idp-metadata https://myidp.example.org/idp/saml2/metadata --saml-auth /wiki I get this error about lasso: Traceback (most recent call last): File /usr/bin/ipsilon-client-install, line 20, in module from ipsilon.tools.saml2metadata import Metadata File /usr/lib/python2.6/site-packages/ipsilon/tools/saml2metadata.py, line 22, in module import lasso File /usr/lib/python2.6/site-packages/lasso.py, line 3, in module import _lasso ImportError: No module named _lasso Does anyone know if it's a problem about lasso's configuration or I forgot something about ipsilon-client? Thanks in advance. Luca Tartarini -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project