Would it be better to file this as a new bug, or reopen 4291? On Tue, Jan 31, 2017 at 5:00 PM, Steve Huston <hus...@astro.princeton.edu> wrote: > Seems like this is to blame: https://fedorahosted.org/freeipa/ticket/4291 > > The checkin says, "Installation in pure IPv6 environment failed > because pki-tomcat tried to use > IPv4 loopback. Configuring tomcat to use IPv6 loopback instead of IPv4 > fixes this issue." However it would seem that in a pure IPv4 > environment, this is causing tomcat to fail to load. > > On Tue, Jan 31, 2017 at 4:36 PM, Steve Huston > <hus...@astro.princeton.edu> wrote: >> What defines the contents of /var/lib/pki/pki-tomcat/conf/server.xml? >> >> <!-- Define an AJP 1.3 Connector on port 8009 --> >> >> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" >> address="::1" /> >> >> Doesn't work so well on a host without IPv6 turned on... >> >> Jan 31 14:26:59 ipa server: PKIListener: >> org.apache.catalina.core.StandardServer[before_init] >> Jan 31 14:27:00 ipa server: SEVERE: Failed to initialize end point >> associated with ProtocolHandler ["ajp-bio-0:0:0:0:0:0:0:1-8009"] >> Jan 31 14:27:00 ipa server: java.net.SocketException: Protocol family >> unavailable >> >> On Fri, Jan 27, 2017 at 4:23 PM, Steve Huston >> <hus...@astro.princeton.edu> wrote: >>> Stranger, I did an install on a different VM with the CentOS 7 minimal >>> ISO, then installed ipa-server and enough things to get X11 and >>> Firefox, ran ipa-server-install and it worked fine. I tested with >>> Firefox (and Safari) against my failing installation and it still >>> fails. So there's something else different that's causing it to >>> break. Will continue investigating, but if someone knows why the UI >>> would break this way it would be helpful to know where to look! >>> >>> On Thu, Jan 26, 2017 at 11:53 AM, Steve Huston >>> <hus...@astro.princeton.edu> wrote: >>>> Just did it again with the same result. Reinstalled the machine, then >>>> did a 'yum install ipa-server python2-ipaserver httpd' which pulled in >>>> version 4.4.0-14.el7_3.4 and a bunch of other packages. Next was the >>>> ipa-server-install as I used before, only without --mkhomedir this >>>> time. After entering the passwords for directory administrator and >>>> the admin user, I then logged in to the web interface, immediately >>>> clicked "add" and added a user 'foobar'. When I clicked "add and >>>> edit" and was brought to the user information page, it looks like this >>>> at the bottom: >>>> >>>> https://www.dropbox.com/s/e67j8rdaq9wvkni/Screenshot%202017-01-26%2011.33.03.png?dl=0 >>>> >>>> I then entered an employee number of '0001' just to give something to >>>> save, and clicked save. The screen now shows this (I've clicked the >>>> drop-down on the manager field so the choices are visible): >>>> >>>> https://www.dropbox.com/s/oxmqwf2rsz15grd/Screenshot%202017-01-26%2011.33.58.png?dl=0 >>>> >>>> Holding shift and clicking reload, the page now looks like this (the >>>> employee number field is also blank again): >>>> >>>> https://www.dropbox.com/s/f8ptycnetvsxjnb/Screenshot%202017-01-26%2011.35.03.png?dl=0 >>>> >>>> Since we do run a repackaged distribution here (Springdale Linux), I >>>> just unpacked ipa-server-common from our repository with the above >>>> version, and >>>> http://mirror.centos.org/centos/7/updates/x86_64/Packages/ipa-server-common-4.4.0-14.el7.centos.4.noarch.rpm, >>>> and 'diff' found zero differences between them. Unlikely, but I >>>> wanted to rule out a packaging error causing the problem. >>>> >>>> On Wed, Jan 25, 2017 at 4:12 PM, Steve Huston >>>> <hus...@astro.princeton.edu> wrote: >>>>> No, that should be all of the major changes; the puppet module that >>>>> installs things only puts the two plugin files in their respective >>>>> places. The client part of the IPA module makes changes to have the >>>>> machine join the domain and whatnot, but those shouldn't affect the >>>>> webui. >>>>> >>>>> I do modify the schema by adding some attribute types for Puppet, >>>>> namely puppetClass, parentNode, environment, puppetVar, and the object >>>>> class puppetClient. That's basically right from one of the Puppet >>>>> webpages and also worked in the past - and is one of the things the >>>>> python plugin does, add the appropriate objectclass to host entries if >>>>> puppetVar is added to a host entry. >>>>> >>>>> My steps to install: >>>>> * ipa-server-install --realm=<realm> --domain=<domain> --mkhomedir >>>>> --hostname=<hostname> --no-host-dns >>>>> * ldapmodify -ZZ -h localhost -x -D 'cn=Directory Manager' -W >>>>> < paste puppet schema changes> >>>>> < paste DN entry for uid=hostadder,cn=sysaccounts,cn=etc... - a >>>>> service account used by puppet for adding hosts to IPA > >>>>> * login to web UI >>>>> * * Change home directory base, default shell, default SELinux user >>>>> * * Add SELinux user map for staff/sysadmin users >>>>> * * Add "user adder" permission/privilege/role for users who will be >>>>> able to create stageusers >>>>> >>>>> That's about as far as I got before I realized some of the plugin >>>>> pieces weren't working, and then fixed the python plugin followed by >>>>> working on the UI plugin and finding this problem. I'll go wipe and >>>>> reinstall the system again and walk through the steps, but test the UI >>>>> first and in between to see if I can find which of the steps might be >>>>> causing things to hiccup. >>>>> >>>>> On Wed, Jan 25, 2017 at 1:42 PM, Pavel Vomacka <pvoma...@redhat.com> >>>>> wrote: >>>>>> Hello Steve, >>>>>> >>>>>> I tried to reproduce what you described on the very same version of >>>>>> ipa-server and I was not successful. Actually I was not used your >>>>>> back-end >>>>>> plugin. I tried it with no plugin and then with your UI plugin and both >>>>>> worked correctly. Did you do any other changes somewhere in your >>>>>> installation? >>>>>> >>>>>> I will try it again also with your Python plugin and we'll see. >>>>>> >>>>>> >>>>>> On 01/24/2017 08:59 PM, Steve Huston wrote: >>>>>>> >>>>>>> And now I'm convinced this has nothing to do with my plugin and >>>>>>> instead is a bug somewhere in FreeIPA. >>>>>>> >>>>>>> I removed the entirety of the "astrocustom" plugin that I wrote, >>>>>>> restarted httpd, and force reloaded the page in chrome. I clicked to >>>>>>> add a new user, gave the basic information, and clicked "add and >>>>>>> edit". The bottom of the page shows the "Employee information" on the >>>>>>> left side bottom, and the manager drop-down is empty. I entered '1' >>>>>>> in the "employee type" field and clicked save, and now "Employee >>>>>>> Information" is on the right side directly under "Contact settings", >>>>>>> and the manager drop-down is populated with the list of UIDs on the >>>>>>> system. >>>>>>> >>>>>>> When the UI is in the failed state, the "email address" field is also >>>>>>> blank, but when things switch to how they should be (after submitting >>>>>>> a change) it is populated with the email address in the record. I >>>>>>> just tested by adding a telephone number to the record, and that also >>>>>>> made the contact information and employee information facets refresh >>>>>>> with the proper data. Pressing shift-reload again makes all the >>>>>>> information disappear (including the telephone number I just entered). >>>>>>> >>>>>>> This is with ipa-server-4.4.0-14.el7_3.4 >>>>>>> >>>>>>> >>>>>>> On Mon, Jan 23, 2017 at 1:55 PM, Steve Huston >>>>>>> <hus...@astro.princeton.edu> wrote: >>>>>>>> >>>>>>>> Just tested again, and this is still baffling: >>>>>>>> >>>>>>>> * Create a stage user with the right data, works fine, can be edited. >>>>>>>> * Enable that user, and now the two fields ('manager' and >>>>>>>> 'employeeType') appear to have bogus data in the UI, and I cannot save >>>>>>>> the page without changing them to something else. >>>>>>>> * Once that user is saved, the "Employee Information" facet moves to >>>>>>>> the right side of the page, and now shows not only the current data in >>>>>>>> the manager drop down but also the other choices (uids). Change the >>>>>>>> value of manager and employeetype back to what they were previously >>>>>>>> and it saves. >>>>>>>> * An ldapsearch run when the user is first created (as the directory >>>>>>>> manager), and after having two edits (one to change the values to >>>>>>>> something else to let the webui save them, and one to change them back >>>>>>>> to what they should be and were the first time) produce completely >>>>>>>> identical results. >>>>>>>> * The output of "ipa user-show <uid> --all --raw" is also identical at >>>>>>>> those same steps. >>>>>>>> >>>>>>>> So something, somewhere, is being saved in a way that prevents the >>>>>>>> webui from displaying them properly, that gets fixed when those values >>>>>>>> are manually changed via the webui. >>>>>>>> >>>>>>>> On Thu, Jan 19, 2017 at 2:44 PM, Steve Huston >>>>>>>> <hus...@astro.princeton.edu> wrote: >>>>>>>>> >>>>>>>>> Even more interesting... >>>>>>>>> >>>>>>>>> I tried to modify one of the records that was not displaying properly >>>>>>>>> in the "active users" group, and sure enough the webui complained that >>>>>>>>> the "Requested By" (relabeled "manager") field was not filled in since >>>>>>>>> it was blank. It also, however, complained that the "User tier" >>>>>>>>> (relabeled "employeetype") was incorrect, even though it showed the >>>>>>>>> label associated with the value 1. I clicked the search drop-down for >>>>>>>>> manager, typed in my own uid, and even though everything had been >>>>>>>>> blank in the drop down before now my uid showed up. I clicked on it, >>>>>>>>> and my uid was now in the manager field. I then clicked the drop down >>>>>>>>> for employeetype, and chose one of the other options. I was now able >>>>>>>>> to save the changes to the record. >>>>>>>>> >>>>>>>>> Upon reloading the page, the "Employee Information" facet now shoed up >>>>>>>>> on the right side bottom, instead of the left side bottom where it was >>>>>>>>> appearing. I was also now able to change the drop-down fields for >>>>>>>>> manager and employeetype to another value, and save them, and they >>>>>>>>> worked fine even filling in all the data that should have been there. >>>>>>>>> This almost seemed like the data being returned by the server was >>>>>>>>> flawed somehow, and confusing the webui, but once it was forced to >>>>>>>>> have the right data and re-saved it worked fine subsequently. >>>>>>>>> >>>>>>>>> I looked at the output of "ipa user-show <uid> --all --raw" both >>>>>>>>> before and after making such changes on a user, and can detect no >>>>>>>>> difference between them. >>>>>>>>> >>>>>>>>> On Thu, Jan 19, 2017 at 1:14 PM, Alexander Bokovoy >>>>>>>>> <aboko...@redhat.com> >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> On to, 19 tammi 2017, Steve Huston wrote: >>>>>>>>>>> >>>>>>>>>>> On Thu, Jan 19, 2017 at 11:16 AM, Alexander Bokovoy >>>>>>>>>>> <aboko...@redhat.com> >>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> In short, FreeIPA 4.2 -> 4.4 change was by splitting server and >>>>>>>>>>>> client >>>>>>>>>>>> side plugins into different paths (ipaserver/plugins and >>>>>>>>>>>> ipaclient/plugins instead of being common in ipalib/plugins). The >>>>>>>>>>>> client >>>>>>>>>>>> code was also changed to always read metadata about API from the >>>>>>>>>>>> server >>>>>>>>>>>> side. This means the client can adopt to any server version that >>>>>>>>>>>> supports API metadata. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Right, and I think that the most of the plugin I had belongs >>>>>>>>>>> server-side; in fact, that's where I migrated it to, and things work >>>>>>>>>>> fine. I haven't tested if I can change those values with the cli, >>>>>>>>>>> but >>>>>>>>>>> I'm less concerned about that at the moment. >>>>>>>>>>> >>>>>>>>>>>> In my sample external plugin you referenced above you can see that >>>>>>>>>>>> I >>>>>>>>>>>> have client-side change that replaces an input string by a file >>>>>>>>>>>> reference so that a file can supplied instead of typing the content >>>>>>>>>>>> of >>>>>>>>>>>> the file on the command line. This is one of most used patterns for >>>>>>>>>>>> client side plugins. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> In this case, my biggest problem is with the web UI. The 'manager' >>>>>>>>>>> drop down (which I have renamed through the UI plugins to "Requested >>>>>>>>>>> By" to show what user requested and is responsible for this account) >>>>>>>>>>> works fine in the 'add/modify stageuser' context, but not at all in >>>>>>>>>>> the adduser/moduser context, and I can't seem to find out why. >>>>>>>>>> >>>>>>>>>> I'll defer answer for this to our web UI wizards but they would need >>>>>>>>>> to >>>>>>>>>> see your code to help, I'd guess. >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> / Alexander Bokovoy >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci >>>>>>>>> Princeton University | ICBM Address: 40.346344 -74.652242 >>>>>>>>> 345 Lewis Library |"On my ship, the Rocinante, wheeling through >>>>>>>>> Princeton, NJ 08544 | the galaxies; headed for the heart of >>>>>>>>> Cygnus, >>>>>>>>> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus >>>>>>>>> X-1' >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci >>>>>>>> Princeton University | ICBM Address: 40.346344 -74.652242 >>>>>>>> 345 Lewis Library |"On my ship, the Rocinante, wheeling through >>>>>>>> Princeton, NJ 08544 | the galaxies; headed for the heart of >>>>>>>> Cygnus, >>>>>>>> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Pavel^3 Vomacka >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci >>>>> Princeton University | ICBM Address: 40.346344 -74.652242 >>>>> 345 Lewis Library |"On my ship, the Rocinante, wheeling through >>>>> Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, >>>>> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' >>>> >>>> >>>> >>>> -- >>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci >>>> Princeton University | ICBM Address: 40.346344 -74.652242 >>>> 345 Lewis Library |"On my ship, the Rocinante, wheeling through >>>> Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, >>>> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' >>> >>> >>> >>> -- >>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci >>> Princeton University | ICBM Address: 40.346344 -74.652242 >>> 345 Lewis Library |"On my ship, the Rocinante, wheeling through >>> Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, >>> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' >> >> >> >> -- >> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci >> Princeton University | ICBM Address: 40.346344 -74.652242 >> 345 Lewis Library |"On my ship, the Rocinante, wheeling through >> Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, >> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' > > > > -- > Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci > Princeton University | ICBM Address: 40.346344 -74.652242 > 345 Lewis Library |"On my ship, the Rocinante, wheeling through > Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, > (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
-- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project