Re: [Freeipa-users] FreeIPA, Ipsilon, Duo Security integration
On Thu, 2016-12-01 at 11:37 -0800, Mike Jacobacci wrote: > Hi, > > As of now, we have FreeIPA/FreeRadius with OTP and Ipsilon working > perfectly. Now, I am looking at possibly integrating Duo security instead > of FreeIPA's 2FA. I am concerned about how it will fit in with Ipsilon and > FreeIPA... Has anyone else tried this before? If so, are there any > pitfalls or problems you have encountered or any general advise? I think there are issues with the workflow Duo requires and the latency (sending token via SMS and waiting for user to input). Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + Ipsilon
On Thu, 2014-08-07 at 17:49 +0200, Luca Tartarini wrote: > Hi, > > thanks for the reply, with Cherrypy 3.2.2 it works. Unfortunately now when > I try to login with 'admin' account ('admin' user created previously during > the installation of ipa-server) I can't see the Administration tab. > Basically this condition (in /usr/share/ipsilon/templates/index.html) is > not satisfied: > > {% if user.is_admin %} > Administration | > {% endif %} > > For ipsilon-server installation I run: > > ipsilon-server-install --secure=no --ipa=yes --krb=yes > > because I read that 'admin' is default. > When I login with 'admin' in IPA Identity Management it is all ok (I login > as administrator), with IPSILON I can login but not as administrator. Is this using kerberos authentication ? Or username/password ? If Kerberos SSO then do you have KrbLocalUserMapping On in the section in the file /etc/httpd/conf.g/ipsilon-idp.conf ? If not then the user will be seen as admin@REALM and not considered the same as the user "admin" by ipsilon. Simo. > I used the last version of jinja2 (jinja2 2.7.2). > > Log of ipsilon-server-install: > > [2014-08-07 17:48:11,242] Intallation arguments: > [2014-08-07 17:48:11,242] admin_user: admin > [2014-08-07 17:48:11,242] config_profile: None > [2014-08-07 17:48:11,242] hostname: ltartari3.cern.ch > [2014-08-07 17:48:11,242] instance: idp > [2014-08-07 17:48:11,242] ipa: yes > [2014-08-07 17:48:11,243] krb: yes > [2014-08-07 17:48:11,243] krb_httpd_keytab: /etc/httpd/conf/http.keytab > [2014-08-07 17:48:11,243] krb_realms: None > [2014-08-07 17:48:11,243] lm_order: ['krb'] > [2014-08-07 17:48:11,243] pam: no > [2014-08-07 17:48:11,243] pam_service: remote > [2014-08-07 17:48:11,243] saml2: yes > [2014-08-07 17:48:11,243] secure: no > [2014-08-07 17:48:11,243] server_debugging: False > [2014-08-07 17:48:11,244] system_user: ipsilon > [2014-08-07 17:48:11,244] testauth: no > [2014-08-07 17:48:11,244] uninstall: False > [2014-08-07 17:48:11,244] Installation initiated > [2014-08-07 17:48:11,244] Installing default config files > [2014-08-07 17:48:11,461] Configuring environment helpers > Searching for keytab in: /etc/httpd/conf/http.keytab ... Found! > Searching for keytab in: /etc/httpd/conf/ipa.keytab ... Found! > [2014-08-07 17:48:11,486] Configuring login managers > Cannot set persistent booleans without managed policy. > [2014-08-07 17:48:12,126] Configuring Authentication Providers > Generating a 2048 bit RSA private key > .+++ > ..+++ > writing new private key to '/var/lib/ipsilon/idp/saml2/idp.key' > - > Installation complete. > Please restart HTTPD to enable the IdP instance. > > > Thanks in advance. > > Luca Tartarini > > > 2014-08-06 17:37 GMT+02:00 Simo Sorce : > > > On Wed, 2014-08-06 at 17:20 +0200, Luca Tartarini wrote: > > > Hi, > > > > > > Thanks for the replies. I updated the line with: > > > > > > plugins_by_name = dict((p.name, p) for p in > > self._site[FACILITY]['enabled']) > > > > > > and it works (the installation is completed succesfully). > > > > > > But now when I try to connect to: > > > > > > https://myidp.example.com/idp > > > > > > or I try to configure ipsilon-client (ipsilon-client-install ...) I got > > > HTTP 500 Internal Error (with ipsilon background). I put "debug = True" > > > in /etc/ipsilon/idp/ipsilon.conf and I got this (in > > > /var/log/httpd/error_log): > > > > > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Available > > > providers: ['saml2'] > > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp > > > storage path: /var/lib/ipsilon/idp/saml2 > > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp > > > metadata file: metadata.xml > > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp > > > storage path: /var/lib/ipsilon/idp/saml2 > > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp > > key > > > file: /var/lib/ipsilon/idp/saml2/idp.key > > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp > > > storage path: /var/lib/ipsilon/idp/saml2 > > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp > > > certificate file: /var/lib/ipsilon/idp/saml2/idp.pem > > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] IdP Provider > > > registered: saml2 > > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] > > enabled: > > > 1 > > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] IdP Provider > > > enabled: saml2 > > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin login > > > plugin: krb > > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin login > > > plugin: pam > > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] username > > > text: Username > > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] password > > > text: Password > > > [Wed Aug 06 16:22:09 2014
Re: [Freeipa-users] FreeIPA + Ipsilon
Hi, thanks for the reply, with Cherrypy 3.2.2 it works. Unfortunately now when I try to login with 'admin' account ('admin' user created previously during the installation of ipa-server) I can't see the Administration tab. Basically this condition (in /usr/share/ipsilon/templates/index.html) is not satisfied: {% if user.is_admin %} Administration | {% endif %} For ipsilon-server installation I run: ipsilon-server-install --secure=no --ipa=yes --krb=yes because I read that 'admin' is default. When I login with 'admin' in IPA Identity Management it is all ok (I login as administrator), with IPSILON I can login but not as administrator. I used the last version of jinja2 (jinja2 2.7.2). Log of ipsilon-server-install: [2014-08-07 17:48:11,242] Intallation arguments: [2014-08-07 17:48:11,242] admin_user: admin [2014-08-07 17:48:11,242] config_profile: None [2014-08-07 17:48:11,242] hostname: ltartari3.cern.ch [2014-08-07 17:48:11,242] instance: idp [2014-08-07 17:48:11,242] ipa: yes [2014-08-07 17:48:11,243] krb: yes [2014-08-07 17:48:11,243] krb_httpd_keytab: /etc/httpd/conf/http.keytab [2014-08-07 17:48:11,243] krb_realms: None [2014-08-07 17:48:11,243] lm_order: ['krb'] [2014-08-07 17:48:11,243] pam: no [2014-08-07 17:48:11,243] pam_service: remote [2014-08-07 17:48:11,243] saml2: yes [2014-08-07 17:48:11,243] secure: no [2014-08-07 17:48:11,243] server_debugging: False [2014-08-07 17:48:11,244] system_user: ipsilon [2014-08-07 17:48:11,244] testauth: no [2014-08-07 17:48:11,244] uninstall: False [2014-08-07 17:48:11,244] Installation initiated [2014-08-07 17:48:11,244] Installing default config files [2014-08-07 17:48:11,461] Configuring environment helpers Searching for keytab in: /etc/httpd/conf/http.keytab ... Found! Searching for keytab in: /etc/httpd/conf/ipa.keytab ... Found! [2014-08-07 17:48:11,486] Configuring login managers Cannot set persistent booleans without managed policy. [2014-08-07 17:48:12,126] Configuring Authentication Providers Generating a 2048 bit RSA private key .+++ ..+++ writing new private key to '/var/lib/ipsilon/idp/saml2/idp.key' - Installation complete. Please restart HTTPD to enable the IdP instance. Thanks in advance. Luca Tartarini 2014-08-06 17:37 GMT+02:00 Simo Sorce : > On Wed, 2014-08-06 at 17:20 +0200, Luca Tartarini wrote: > > Hi, > > > > Thanks for the replies. I updated the line with: > > > > plugins_by_name = dict((p.name, p) for p in > self._site[FACILITY]['enabled']) > > > > and it works (the installation is completed succesfully). > > > > But now when I try to connect to: > > > > https://myidp.example.com/idp > > > > or I try to configure ipsilon-client (ipsilon-client-install ...) I got > > HTTP 500 Internal Error (with ipsilon background). I put "debug = True" > > in /etc/ipsilon/idp/ipsilon.conf and I got this (in > > /var/log/httpd/error_log): > > > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Available > > providers: ['saml2'] > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp > > storage path: /var/lib/ipsilon/idp/saml2 > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp > > metadata file: metadata.xml > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp > > storage path: /var/lib/ipsilon/idp/saml2 > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp > key > > file: /var/lib/ipsilon/idp/saml2/idp.key > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp > > storage path: /var/lib/ipsilon/idp/saml2 > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp > > certificate file: /var/lib/ipsilon/idp/saml2/idp.pem > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] IdP Provider > > registered: saml2 > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] > enabled: > > 1 > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] IdP Provider > > enabled: saml2 > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin login > > plugin: krb > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin login > > plugin: pam > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] username > > text: Username > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] password > > text: Password > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] service > > name: remote > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] help > text: > > Insert your Username and Password and then submit. > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin login > > plugin: testauth > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [testauth] > > username text: Username > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [testauth] > > password text: Password > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [testauth] > help > > tex
Re: [Freeipa-users] FreeIPA + Ipsilon
On Wed, 2014-08-06 at 17:20 +0200, Luca Tartarini wrote: > Hi, > > Thanks for the replies. I updated the line with: > > plugins_by_name = dict((p.name, p) for p in self._site[FACILITY]['enabled']) > > and it works (the installation is completed succesfully). > > But now when I try to connect to: > > https://myidp.example.com/idp > > or I try to configure ipsilon-client (ipsilon-client-install ...) I got > HTTP 500 Internal Error (with ipsilon background). I put "debug = True" > in /etc/ipsilon/idp/ipsilon.conf and I got this (in > /var/log/httpd/error_log): > > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Available > providers: ['saml2'] > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp > storage path: /var/lib/ipsilon/idp/saml2 > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp > metadata file: metadata.xml > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp > storage path: /var/lib/ipsilon/idp/saml2 > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp key > file: /var/lib/ipsilon/idp/saml2/idp.key > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp > storage path: /var/lib/ipsilon/idp/saml2 > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp > certificate file: /var/lib/ipsilon/idp/saml2/idp.pem > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] IdP Provider > registered: saml2 > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] enabled: > 1 > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] IdP Provider > enabled: saml2 > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin login > plugin: krb > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin login > plugin: pam > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] username > text: Username > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] password > text: Password > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] service > name: remote > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] help text: > Insert your Username and Password and then submit. > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin login > plugin: testauth > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [testauth] > username text: Username > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [testauth] > password text: Password > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [testauth] help > text: Insert your Username and Password and then submit. > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin provider > plugin: saml2 > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] default > allowed nameids: ['persistent', 'transient', 'email', 'kerberos', 'x509'] > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp > metadata file: metadata.xml > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] default > email domain: example.com > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp > certificate file: /var/lib/ipsilon/idp/saml2/idp.pem > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] allow > self registration: True > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp key > file: /var/lib/ipsilon/idp/saml2/idp.key > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp > storage path: /var/lib/ipsilon/idp/saml2 > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] default > nameid: persistent > [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Traceback (most > recent call last): > [Wed Aug 06 16:22:09 2014] [error] File > "/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/_cprequest.py", > line 104, in run > [Wed Aug 06 16:22:09 2014] [error] hook() > [Wed Aug 06 16:22:09 2014] [error] File > "/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/_cprequest.py", > line 63, in __call__ > [Wed Aug 06 16:22:09 2014] [error] return self.callback(**self.kwargs) > [Wed Aug 06 16:22:09 2014] [error] File > "/usr/lib/python2.6/site-packages/ipsilon/util/page.py", line 37, in protect > [Wed Aug 06 16:22:09 2014] [error] UserSession().remote_login() > [Wed Aug 06 16:22:09 2014] [error] File > "/usr/lib/python2.6/site-packages/ipsilon/util/user.py", line 103, in > __init__ > [Wed Aug 06 16:22:09 2014] [error] self.user = self.get_data('user', > 'name') > [Wed Aug 06 16:22:09 2014] [error] File > "/usr/lib/python2.6/site-packages/ipsilon/util/user.py", line 147, in > get_data > [Wed Aug 06 16:22:09 2014] [error] if facility not in cherrypy.session: > [Wed Aug 06 16:22:09 2014] [error] File > "/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/__init__.py", > line 258, in __contains__ > [Wed Aug 06 16:22:09 2014] [error] return key i
Re: [Freeipa-users] FreeIPA + Ipsilon
Hi, Thanks for the replies. I updated the line with: plugins_by_name = dict((p.name, p) for p in self._site[FACILITY]['enabled']) and it works (the installation is completed succesfully). But now when I try to connect to: https://myidp.example.com/idp or I try to configure ipsilon-client (ipsilon-client-install ...) I got HTTP 500 Internal Error (with ipsilon background). I put "debug = True" in /etc/ipsilon/idp/ipsilon.conf and I got this (in /var/log/httpd/error_log): [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Available providers: ['saml2'] [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp storage path: /var/lib/ipsilon/idp/saml2 [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp metadata file: metadata.xml [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp storage path: /var/lib/ipsilon/idp/saml2 [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp key file: /var/lib/ipsilon/idp/saml2/idp.key [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp storage path: /var/lib/ipsilon/idp/saml2 [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp certificate file: /var/lib/ipsilon/idp/saml2/idp.pem [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] IdP Provider registered: saml2 [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] enabled: 1 [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] IdP Provider enabled: saml2 [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin login plugin: krb [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin login plugin: pam [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] username text: Username [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] password text: Password [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] service name: remote [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [pam] help text: Insert your Username and Password and then submit. [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin login plugin: testauth [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [testauth] username text: Username [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [testauth] password text: Password [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [testauth] help text: Insert your Username and Password and then submit. [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Admin provider plugin: saml2 [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] default allowed nameids: ['persistent', 'transient', 'email', 'kerberos', 'x509'] [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp metadata file: metadata.xml [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] default email domain: example.com [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp certificate file: /var/lib/ipsilon/idp/saml2/idp.pem [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] allow self registration: True [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp key file: /var/lib/ipsilon/idp/saml2/idp.key [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] idp storage path: /var/lib/ipsilon/idp/saml2 [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] [saml2] default nameid: persistent [Wed Aug 06 16:22:09 2014] [error] [06/Aug/2014:16:22:09] Traceback (most recent call last): [Wed Aug 06 16:22:09 2014] [error] File "/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/_cprequest.py", line 104, in run [Wed Aug 06 16:22:09 2014] [error] hook() [Wed Aug 06 16:22:09 2014] [error] File "/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/_cprequest.py", line 63, in __call__ [Wed Aug 06 16:22:09 2014] [error] return self.callback(**self.kwargs) [Wed Aug 06 16:22:09 2014] [error] File "/usr/lib/python2.6/site-packages/ipsilon/util/page.py", line 37, in protect [Wed Aug 06 16:22:09 2014] [error] UserSession().remote_login() [Wed Aug 06 16:22:09 2014] [error] File "/usr/lib/python2.6/site-packages/ipsilon/util/user.py", line 103, in __init__ [Wed Aug 06 16:22:09 2014] [error] self.user = self.get_data('user', 'name') [Wed Aug 06 16:22:09 2014] [error] File "/usr/lib/python2.6/site-packages/ipsilon/util/user.py", line 147, in get_data [Wed Aug 06 16:22:09 2014] [error] if facility not in cherrypy.session: [Wed Aug 06 16:22:09 2014] [error] File "/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/__init__.py", line 258, in __contains__ [Wed Aug 06 16:22:09 2014] [error] return key in child [Wed Aug 06 16:22:09 2014] [error] File "/usr/lib/python2.6/site-packages/CherryPy-3.5.0-py2.6.egg/cherrypy/lib/sessions.py", line 335, in __contains__ [Wed Aug 06 16:22:09 2014] [error] self.load() [Wed Aug 06 16:22:09 2014] [error] File "/us
Re: [Freeipa-users] FreeIPA + Ipsilon
On 08/05/2014 07:48 PM, Simo Sorce wrote: On Tue, 2014-08-05 at 17:47 +0200, Luca Tartarini wrote: [...] with HTTP 500 Internal Server Error ("GET /idp HTTP/1.1" 500 619) The line is this one (in /usr/lib/python2.6/site-packages/ipsilon/admin/login.py): plugins_by_name = {p.name: p for p in self._site[FACILITY]['enabled']} Uhmm python 2.6, I think it does not support dict comprehension. You can replace this line with: dict([p.name, p for p in self._site[FACILITY]['enabled']]) dict((p.name, p) for p in self._site[FACILITY]['enabled']) (You need the parens around (p.name, p)) -- PetrĀ³ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + Ipsilon
On Tue, 2014-08-05 at 17:47 +0200, Luca Tartarini wrote: > Hi, thanks for the replies. > > I am finally managed to install lasso correctly (without lasso-python) but > after the installation of ipsilon-server (ipsilon-server-install --ipa=yes > --secure=no) when I try to connet via browser to: > > https://myidp.example.com/idp > > I had this error: > > [error] mod_wsgi (pid=22357): Target WSGI script '/usr/sbin/ipsilon' cannot > be loaded as Python module. > [error] mod_wsgi (pid=22357): Exception occurred processing WSGI script > '/usr/sbin/ipsilon'. > [error] Traceback (most recent call last): > [error] File "/usr/sbin/ipsilon", line 28, in > [error] from ipsilon.root import Root > [error] File "/usr/lib/python2.6/site-packages/ipsilon/root.py", line 26, > in > [error] from ipsilon.admin.login import LoginPlugins > [error] File "/usr/lib/python2.6/site-packages/ipsilon/admin/login.py", > line 48 > [error] plugins_by_name = {p.name: p for p in > self._site[FACILITY]['enabled']} > [error] ^ > [error] SyntaxError: invalid syntax > > with HTTP 500 Internal Server Error ("GET /idp HTTP/1.1" 500 619) > > The line is this one (in > /usr/lib/python2.6/site-packages/ipsilon/admin/login.py): > > plugins_by_name = {p.name: p for p in self._site[FACILITY]['enabled']} Uhmm python 2.6, I think it does not support dict comprehension. You can replace this line with: dict([p.name, p for p in self._site[FACILITY]['enabled']]) Let me know if that helps. Simo. > The same thing if I try: > > ipsilon-client-install --saml-idp-metadata > https://myidp.example.org/idp/saml2/metadata --debug > > Thanks in advance. > > Luca Tartarini > > > > 2014-07-31 13:11 GMT+02:00 Simo Sorce : > > > On Thu, 2014-07-31 at 09:53 +0200, Luca Tartarini wrote: > > > Hi, > > > > > > Thanks for the reply, unfortunately I can not find the package on > > > Scientific Linux, is there a workaround? > > > > I saw from the lasso mailing list that you built the lasso package > > yourself, make sure you built the python bindings, they are part of the > > same source tree. > > > > Attached find a .spec file you can use top build lasso on EL6 platforms, > > until it will become available "officially". > > > > This will build and install the python binding correctly. > > > > Simo. > > > > > Thanks. > > > > > > Luca Tartarini > > > > > > > > > 2014-07-30 15:00 GMT+02:00 Simo Sorce : > > > > > > > On Tue, 2014-07-29 at 15:58 +0200, Martin Kosek wrote: > > > > > On 07/29/2014 03:47 PM, Luca Tartarini wrote: > > > > > > Hi everyone, > > > > > > > > > > > > I am new in FreeIPA, I am trying to configure FreeIPA with > > Ipsilon. The > > > > > > configuration is the following: Service Provider (host with > > Scientific > > > > > > Linux 6) with ipsilon-client and Identity Provider (another host > > with > > > > > > Scientific Linux 6) with FreeIPA and ipsilon-server, is the > > > > configuration > > > > > > feasible and/or correct? > > > > > > If it is, then I am stuck in the installation of ipsilon-client > > because > > > > > > after I installed lasso-2.3.6 and all the ipsilon-client > > prerequisites, > > > > > > when I finally run: > > > > > > > > > > > > ipsilon-client-install --saml-idp-metadata > > > > > > https://myidp.example.org/idp/saml2/metadata --saml-auth /wiki > > > > > > > > > > > > I get this error about lasso: > > > > > > > > > > > > Traceback (most recent call last): > > > > > > File "/usr/bin/ipsilon-client-install", line 20, in > > > > > > from ipsilon.tools.saml2metadata import Metadata > > > > > > File > > > > "/usr/lib/python2.6/site-packages/ipsilon/tools/saml2metadata.py", > > > > > > line 22, in > > > > > > import lasso > > > > > > File "/usr/lib/python2.6/site-packages/lasso.py", line 3, in > > > > > > > > import _lasso > > > > > > ImportError: No module named _lasso > > > > > > > > > > > > Does anyone know if it's a problem about lasso's configuration or I > > > > forgot > > > > > > something about ipsilon-client? > > > > > > > > > > > > Thanks in advance. > > > > > > > > > > > > Luca Tartarini > > > > > > > > > > Not sure, _lasso.so should be provided by lasso-python package: > > > > > > > > > > # rpm -qf /usr/lib64/python2.6/site-packages/_lasso.so > > > > > lasso-python-2.4.0-4.el6.x86_64 > > > > > > > > > > CCing Simo to advise. > > > > > > > > Sounds like lasso-python is missing indeed. > > > > > > > > Simo. > > > > > > > > > > > > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + Ipsilon
Hi, thanks for the replies. I am finally managed to install lasso correctly (without lasso-python) but after the installation of ipsilon-server (ipsilon-server-install --ipa=yes --secure=no) when I try to connet via browser to: https://myidp.example.com/idp I had this error: [error] mod_wsgi (pid=22357): Target WSGI script '/usr/sbin/ipsilon' cannot be loaded as Python module. [error] mod_wsgi (pid=22357): Exception occurred processing WSGI script '/usr/sbin/ipsilon'. [error] Traceback (most recent call last): [error] File "/usr/sbin/ipsilon", line 28, in [error] from ipsilon.root import Root [error] File "/usr/lib/python2.6/site-packages/ipsilon/root.py", line 26, in [error] from ipsilon.admin.login import LoginPlugins [error] File "/usr/lib/python2.6/site-packages/ipsilon/admin/login.py", line 48 [error] plugins_by_name = {p.name: p for p in self._site[FACILITY]['enabled']} [error] ^ [error] SyntaxError: invalid syntax with HTTP 500 Internal Server Error ("GET /idp HTTP/1.1" 500 619) The line is this one (in /usr/lib/python2.6/site-packages/ipsilon/admin/login.py): plugins_by_name = {p.name: p for p in self._site[FACILITY]['enabled']} The same thing if I try: ipsilon-client-install --saml-idp-metadata https://myidp.example.org/idp/saml2/metadata --debug Thanks in advance. Luca Tartarini 2014-07-31 13:11 GMT+02:00 Simo Sorce : > On Thu, 2014-07-31 at 09:53 +0200, Luca Tartarini wrote: > > Hi, > > > > Thanks for the reply, unfortunately I can not find the package on > > Scientific Linux, is there a workaround? > > I saw from the lasso mailing list that you built the lasso package > yourself, make sure you built the python bindings, they are part of the > same source tree. > > Attached find a .spec file you can use top build lasso on EL6 platforms, > until it will become available "officially". > > This will build and install the python binding correctly. > > Simo. > > > Thanks. > > > > Luca Tartarini > > > > > > 2014-07-30 15:00 GMT+02:00 Simo Sorce : > > > > > On Tue, 2014-07-29 at 15:58 +0200, Martin Kosek wrote: > > > > On 07/29/2014 03:47 PM, Luca Tartarini wrote: > > > > > Hi everyone, > > > > > > > > > > I am new in FreeIPA, I am trying to configure FreeIPA with > Ipsilon. The > > > > > configuration is the following: Service Provider (host with > Scientific > > > > > Linux 6) with ipsilon-client and Identity Provider (another host > with > > > > > Scientific Linux 6) with FreeIPA and ipsilon-server, is the > > > configuration > > > > > feasible and/or correct? > > > > > If it is, then I am stuck in the installation of ipsilon-client > because > > > > > after I installed lasso-2.3.6 and all the ipsilon-client > prerequisites, > > > > > when I finally run: > > > > > > > > > > ipsilon-client-install --saml-idp-metadata > > > > > https://myidp.example.org/idp/saml2/metadata --saml-auth /wiki > > > > > > > > > > I get this error about lasso: > > > > > > > > > > Traceback (most recent call last): > > > > > File "/usr/bin/ipsilon-client-install", line 20, in > > > > > from ipsilon.tools.saml2metadata import Metadata > > > > > File > > > "/usr/lib/python2.6/site-packages/ipsilon/tools/saml2metadata.py", > > > > > line 22, in > > > > > import lasso > > > > > File "/usr/lib/python2.6/site-packages/lasso.py", line 3, in > > > > > > import _lasso > > > > > ImportError: No module named _lasso > > > > > > > > > > Does anyone know if it's a problem about lasso's configuration or I > > > forgot > > > > > something about ipsilon-client? > > > > > > > > > > Thanks in advance. > > > > > > > > > > Luca Tartarini > > > > > > > > Not sure, _lasso.so should be provided by lasso-python package: > > > > > > > > # rpm -qf /usr/lib64/python2.6/site-packages/_lasso.so > > > > lasso-python-2.4.0-4.el6.x86_64 > > > > > > > > CCing Simo to advise. > > > > > > Sounds like lasso-python is missing indeed. > > > > > > Simo. > > > > > > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + Ipsilon
On Thu, 2014-07-31 at 09:53 +0200, Luca Tartarini wrote: > Hi, > > Thanks for the reply, unfortunately I can not find the package on > Scientific Linux, is there a workaround? I saw from the lasso mailing list that you built the lasso package yourself, make sure you built the python bindings, they are part of the same source tree. Attached find a .spec file you can use top build lasso on EL6 platforms, until it will become available "officially". This will build and install the python binding correctly. Simo. > Thanks. > > Luca Tartarini > > > 2014-07-30 15:00 GMT+02:00 Simo Sorce : > > > On Tue, 2014-07-29 at 15:58 +0200, Martin Kosek wrote: > > > On 07/29/2014 03:47 PM, Luca Tartarini wrote: > > > > Hi everyone, > > > > > > > > I am new in FreeIPA, I am trying to configure FreeIPA with Ipsilon. The > > > > configuration is the following: Service Provider (host with Scientific > > > > Linux 6) with ipsilon-client and Identity Provider (another host with > > > > Scientific Linux 6) with FreeIPA and ipsilon-server, is the > > configuration > > > > feasible and/or correct? > > > > If it is, then I am stuck in the installation of ipsilon-client because > > > > after I installed lasso-2.3.6 and all the ipsilon-client prerequisites, > > > > when I finally run: > > > > > > > > ipsilon-client-install --saml-idp-metadata > > > > https://myidp.example.org/idp/saml2/metadata --saml-auth /wiki > > > > > > > > I get this error about lasso: > > > > > > > > Traceback (most recent call last): > > > > File "/usr/bin/ipsilon-client-install", line 20, in > > > > from ipsilon.tools.saml2metadata import Metadata > > > > File > > "/usr/lib/python2.6/site-packages/ipsilon/tools/saml2metadata.py", > > > > line 22, in > > > > import lasso > > > > File "/usr/lib/python2.6/site-packages/lasso.py", line 3, in > > > > import _lasso > > > > ImportError: No module named _lasso > > > > > > > > Does anyone know if it's a problem about lasso's configuration or I > > forgot > > > > something about ipsilon-client? > > > > > > > > Thanks in advance. > > > > > > > > Luca Tartarini > > > > > > Not sure, _lasso.so should be provided by lasso-python package: > > > > > > # rpm -qf /usr/lib64/python2.6/site-packages/_lasso.so > > > lasso-python-2.4.0-4.el6.x86_64 > > > > > > CCing Simo to advise. > > > > Sounds like lasso-python is missing indeed. > > > > Simo. > > > > > > %global with_java 0 %global with_php 0 %global with_perl 0 %global with_python 1 %global with_wsf 0 %if %{with_php} %{!?__pecl: %{expand: %%global __pecl %{_bindir}/pecl}} %endif Summary: Liberty Alliance Single Sign On Name: lasso Version: 2.4.0 Release: 1%{?dist} License: GPLv2+ Group: System Environment/Libraries Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz %if %{with_wsf} BuildRequires: cyrus-sasl-devel %endif BuildRequires: gtk-doc, libtool-ltdl-devel BuildRequires: glib2-devel, swig BuildRequires: libxml2-devel, xmlsec1-devel, openssl-devel, xmlsec1-openssl-devel Url: http://lasso.entrouvert.org/ %description Lasso is a library that implements the Liberty Alliance Single Sign On standards, including the SAML and SAML2 specifications. It allows to handle the whole life-cycle of SAML based Federations, and provides bindings for multiple languages. %package devel Summary: Lasso development headers and documentation Group: Development/Libraries Requires: %{name}%{?_isa} = %{version}-%{release} %description devel This package contains the header files, static libraries and development documentation for Lasso. %if %{with_perl} %package perl Summary: Liberty Alliance Single Sign On (lasso) Perl bindings Group: Development/Libraries BuildRequires: perl(ExtUtils::MakeMaker) BuildRequires: perl(Test::More) Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) Requires: %{name}%{?_isa} = %{version}-%{release} %description perl Perl language bindings for the lasso (Liberty Alliance Single Sign On) library. %endif %if %{with_java} %package java Summary: Liberty Alliance Single Sign On (lasso) Java bindings Group: Development/Libraries BuildRequires: java-devel BuildRequires: jpackage-utils Requires: java-headless Requires: jpackage-utils Requires: %{name}%{?_isa} = %{version}-%{release} %description java Java language bindings for the lasso (Liberty Alliance Single Sign On) library. %endif %if %{with_php} %package php Summary: Liberty Alliance Single Sign On (lasso) PHP bindings Group: Development/Libraries BuildRequires: php-devel, expat-devel BuildRequires: python2 Requires: %{name}%{?_isa} = %{version}-%{release} Requires(post): %{__pecl} Requires(postun): %{__pecl} Requires: php(zend-abi) = %{php_zend_api} Requires: php(api) = %{php_core_api} %description php PHP language bindings for the lasso (Liberty Alliance Single Sign On) library. %endif %if %{with_python} %package python Summary: Liberty Alliance Single Sign On (lasso) Python bindings Group: Development/Libraries BuildRequires: p
Re: [Freeipa-users] FreeIPA + Ipsilon
Without this package for your platform, you cannot move further. So you would either need to switch to some platform that has this package available (RHEL, CentOS, Fedora) or take the source bits and build it for your platform yourselves. Maybe you would get lucky with rebuilding the source RPM from Fedora 20 (http://koji.fedoraproject.org/koji/buildinfo?buildID=489924), but there might be some build dependencies that are not available on Scientific Linux... HTH, Martin On 07/31/2014 09:53 AM, Luca Tartarini wrote: > Hi, > > Thanks for the reply, unfortunately I can not find the package on > Scientific Linux, is there a workaround? > > Thanks. > > Luca Tartarini > > > 2014-07-30 15:00 GMT+02:00 Simo Sorce : > >> On Tue, 2014-07-29 at 15:58 +0200, Martin Kosek wrote: >>> On 07/29/2014 03:47 PM, Luca Tartarini wrote: Hi everyone, I am new in FreeIPA, I am trying to configure FreeIPA with Ipsilon. The configuration is the following: Service Provider (host with Scientific Linux 6) with ipsilon-client and Identity Provider (another host with Scientific Linux 6) with FreeIPA and ipsilon-server, is the >> configuration feasible and/or correct? If it is, then I am stuck in the installation of ipsilon-client because after I installed lasso-2.3.6 and all the ipsilon-client prerequisites, when I finally run: ipsilon-client-install --saml-idp-metadata https://myidp.example.org/idp/saml2/metadata --saml-auth /wiki I get this error about lasso: Traceback (most recent call last): File "/usr/bin/ipsilon-client-install", line 20, in from ipsilon.tools.saml2metadata import Metadata File >> "/usr/lib/python2.6/site-packages/ipsilon/tools/saml2metadata.py", line 22, in import lasso File "/usr/lib/python2.6/site-packages/lasso.py", line 3, in import _lasso ImportError: No module named _lasso Does anyone know if it's a problem about lasso's configuration or I >> forgot something about ipsilon-client? Thanks in advance. Luca Tartarini >>> >>> Not sure, _lasso.so should be provided by lasso-python package: >>> >>> # rpm -qf /usr/lib64/python2.6/site-packages/_lasso.so >>> lasso-python-2.4.0-4.el6.x86_64 >>> >>> CCing Simo to advise. >> >> Sounds like lasso-python is missing indeed. >> >> Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + Ipsilon
Hi, Thanks for the reply, unfortunately I can not find the package on Scientific Linux, is there a workaround? Thanks. Luca Tartarini 2014-07-30 15:00 GMT+02:00 Simo Sorce : > On Tue, 2014-07-29 at 15:58 +0200, Martin Kosek wrote: > > On 07/29/2014 03:47 PM, Luca Tartarini wrote: > > > Hi everyone, > > > > > > I am new in FreeIPA, I am trying to configure FreeIPA with Ipsilon. The > > > configuration is the following: Service Provider (host with Scientific > > > Linux 6) with ipsilon-client and Identity Provider (another host with > > > Scientific Linux 6) with FreeIPA and ipsilon-server, is the > configuration > > > feasible and/or correct? > > > If it is, then I am stuck in the installation of ipsilon-client because > > > after I installed lasso-2.3.6 and all the ipsilon-client prerequisites, > > > when I finally run: > > > > > > ipsilon-client-install --saml-idp-metadata > > > https://myidp.example.org/idp/saml2/metadata --saml-auth /wiki > > > > > > I get this error about lasso: > > > > > > Traceback (most recent call last): > > > File "/usr/bin/ipsilon-client-install", line 20, in > > > from ipsilon.tools.saml2metadata import Metadata > > > File > "/usr/lib/python2.6/site-packages/ipsilon/tools/saml2metadata.py", > > > line 22, in > > > import lasso > > > File "/usr/lib/python2.6/site-packages/lasso.py", line 3, in > > > import _lasso > > > ImportError: No module named _lasso > > > > > > Does anyone know if it's a problem about lasso's configuration or I > forgot > > > something about ipsilon-client? > > > > > > Thanks in advance. > > > > > > Luca Tartarini > > > > Not sure, _lasso.so should be provided by lasso-python package: > > > > # rpm -qf /usr/lib64/python2.6/site-packages/_lasso.so > > lasso-python-2.4.0-4.el6.x86_64 > > > > CCing Simo to advise. > > Sounds like lasso-python is missing indeed. > > Simo. > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + Ipsilon
On Tue, 2014-07-29 at 15:58 +0200, Martin Kosek wrote: > On 07/29/2014 03:47 PM, Luca Tartarini wrote: > > Hi everyone, > > > > I am new in FreeIPA, I am trying to configure FreeIPA with Ipsilon. The > > configuration is the following: Service Provider (host with Scientific > > Linux 6) with ipsilon-client and Identity Provider (another host with > > Scientific Linux 6) with FreeIPA and ipsilon-server, is the configuration > > feasible and/or correct? > > If it is, then I am stuck in the installation of ipsilon-client because > > after I installed lasso-2.3.6 and all the ipsilon-client prerequisites, > > when I finally run: > > > > ipsilon-client-install --saml-idp-metadata > > https://myidp.example.org/idp/saml2/metadata --saml-auth /wiki > > > > I get this error about lasso: > > > > Traceback (most recent call last): > > File "/usr/bin/ipsilon-client-install", line 20, in > > from ipsilon.tools.saml2metadata import Metadata > > File "/usr/lib/python2.6/site-packages/ipsilon/tools/saml2metadata.py", > > line 22, in > > import lasso > > File "/usr/lib/python2.6/site-packages/lasso.py", line 3, in > > import _lasso > > ImportError: No module named _lasso > > > > Does anyone know if it's a problem about lasso's configuration or I forgot > > something about ipsilon-client? > > > > Thanks in advance. > > > > Luca Tartarini > > Not sure, _lasso.so should be provided by lasso-python package: > > # rpm -qf /usr/lib64/python2.6/site-packages/_lasso.so > lasso-python-2.4.0-4.el6.x86_64 > > CCing Simo to advise. Sounds like lasso-python is missing indeed. Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + Ipsilon
On 07/29/2014 03:47 PM, Luca Tartarini wrote: > Hi everyone, > > I am new in FreeIPA, I am trying to configure FreeIPA with Ipsilon. The > configuration is the following: Service Provider (host with Scientific > Linux 6) with ipsilon-client and Identity Provider (another host with > Scientific Linux 6) with FreeIPA and ipsilon-server, is the configuration > feasible and/or correct? > If it is, then I am stuck in the installation of ipsilon-client because > after I installed lasso-2.3.6 and all the ipsilon-client prerequisites, > when I finally run: > > ipsilon-client-install --saml-idp-metadata > https://myidp.example.org/idp/saml2/metadata --saml-auth /wiki > > I get this error about lasso: > > Traceback (most recent call last): > File "/usr/bin/ipsilon-client-install", line 20, in > from ipsilon.tools.saml2metadata import Metadata > File "/usr/lib/python2.6/site-packages/ipsilon/tools/saml2metadata.py", > line 22, in > import lasso > File "/usr/lib/python2.6/site-packages/lasso.py", line 3, in > import _lasso > ImportError: No module named _lasso > > Does anyone know if it's a problem about lasso's configuration or I forgot > something about ipsilon-client? > > Thanks in advance. > > Luca Tartarini Not sure, _lasso.so should be provided by lasso-python package: # rpm -qf /usr/lib64/python2.6/site-packages/_lasso.so lasso-python-2.4.0-4.el6.x86_64 CCing Simo to advise. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project