Awesome! Thank you. On Wed, Feb 1, 2017 at 12:05 PM, Florence Blanc-Renaud <f...@redhat.com> wrote: > On 02/01/2017 05:47 PM, Steve Huston wrote: >> >> Would it be better to file this as a new bug, or reopen 4291? >> > Hi, > > we are already aware of the problem and working on a fix (please see > https://bugzilla.redhat.com/show_bug.cgi?id=1398600 and > https://fedorahosted.org/freeipa/ticket/6575). > > HTH, > Flo. > > >> On Tue, Jan 31, 2017 at 5:00 PM, Steve Huston >> <hus...@astro.princeton.edu> wrote: >>> >>> Seems like this is to blame: >>> https://fedorahosted.org/freeipa/ticket/4291 >>> >>> The checkin says, "Installation in pure IPv6 environment failed >>> because pki-tomcat tried to use >>> IPv4 loopback. Configuring tomcat to use IPv6 loopback instead of IPv4 >>> fixes this issue." However it would seem that in a pure IPv4 >>> environment, this is causing tomcat to fail to load. >>> >>> On Tue, Jan 31, 2017 at 4:36 PM, Steve Huston >>> <hus...@astro.princeton.edu> wrote: >>>> >>>> What defines the contents of /var/lib/pki/pki-tomcat/conf/server.xml? >>>> >>>> <!-- Define an AJP 1.3 Connector on port 8009 --> >>>> >>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" >>>> address="::1" /> >>>> >>>> Doesn't work so well on a host without IPv6 turned on... >>>> >>>> Jan 31 14:26:59 ipa server: PKIListener: >>>> org.apache.catalina.core.StandardServer[before_init] >>>> Jan 31 14:27:00 ipa server: SEVERE: Failed to initialize end point >>>> associated with ProtocolHandler ["ajp-bio-0:0:0:0:0:0:0:1-8009"] >>>> Jan 31 14:27:00 ipa server: java.net.SocketException: Protocol family >>>> unavailable >>>> >>>> On Fri, Jan 27, 2017 at 4:23 PM, Steve Huston >>>> <hus...@astro.princeton.edu> wrote: >>>>> >>>>> Stranger, I did an install on a different VM with the CentOS 7 minimal >>>>> ISO, then installed ipa-server and enough things to get X11 and >>>>> Firefox, ran ipa-server-install and it worked fine. I tested with >>>>> Firefox (and Safari) against my failing installation and it still >>>>> fails. So there's something else different that's causing it to >>>>> break. Will continue investigating, but if someone knows why the UI >>>>> would break this way it would be helpful to know where to look! >>>>> >>>>> On Thu, Jan 26, 2017 at 11:53 AM, Steve Huston >>>>> <hus...@astro.princeton.edu> wrote: >>>>>> >>>>>> Just did it again with the same result. Reinstalled the machine, then >>>>>> did a 'yum install ipa-server python2-ipaserver httpd' which pulled in >>>>>> version 4.4.0-14.el7_3.4 and a bunch of other packages. Next was the >>>>>> ipa-server-install as I used before, only without --mkhomedir this >>>>>> time. After entering the passwords for directory administrator and >>>>>> the admin user, I then logged in to the web interface, immediately >>>>>> clicked "add" and added a user 'foobar'. When I clicked "add and >>>>>> edit" and was brought to the user information page, it looks like this >>>>>> at the bottom: >>>>>> >>>>>> >>>>>> https://www.dropbox.com/s/e67j8rdaq9wvkni/Screenshot%202017-01-26%2011.33.03.png?dl=0 >>>>>> >>>>>> I then entered an employee number of '0001' just to give something to >>>>>> save, and clicked save. The screen now shows this (I've clicked the >>>>>> drop-down on the manager field so the choices are visible): >>>>>> >>>>>> >>>>>> https://www.dropbox.com/s/oxmqwf2rsz15grd/Screenshot%202017-01-26%2011.33.58.png?dl=0 >>>>>> >>>>>> Holding shift and clicking reload, the page now looks like this (the >>>>>> employee number field is also blank again): >>>>>> >>>>>> >>>>>> https://www.dropbox.com/s/f8ptycnetvsxjnb/Screenshot%202017-01-26%2011.35.03.png?dl=0 >>>>>> >>>>>> Since we do run a repackaged distribution here (Springdale Linux), I >>>>>> just unpacked ipa-server-common from our repository with the above >>>>>> version, and >>>>>> http://mirror.centos.org/centos/7/updates/x86_64/Packages/ipa-server-common-4.4.0-14.el7.centos.4.noarch.rpm, >>>>>> and 'diff' found zero differences between them. Unlikely, but I >>>>>> wanted to rule out a packaging error causing the problem. >>>>>> >>>>>> On Wed, Jan 25, 2017 at 4:12 PM, Steve Huston >>>>>> <hus...@astro.princeton.edu> wrote: >>>>>>> >>>>>>> No, that should be all of the major changes; the puppet module that >>>>>>> installs things only puts the two plugin files in their respective >>>>>>> places. The client part of the IPA module makes changes to have the >>>>>>> machine join the domain and whatnot, but those shouldn't affect the >>>>>>> webui. >>>>>>> >>>>>>> I do modify the schema by adding some attribute types for Puppet, >>>>>>> namely puppetClass, parentNode, environment, puppetVar, and the >>>>>>> object >>>>>>> class puppetClient. That's basically right from one of the Puppet >>>>>>> webpages and also worked in the past - and is one of the things the >>>>>>> python plugin does, add the appropriate objectclass to host entries >>>>>>> if >>>>>>> puppetVar is added to a host entry. >>>>>>> >>>>>>> My steps to install: >>>>>>> * ipa-server-install --realm=<realm> --domain=<domain> --mkhomedir >>>>>>> --hostname=<hostname> --no-host-dns >>>>>>> * ldapmodify -ZZ -h localhost -x -D 'cn=Directory Manager' -W >>>>>>> < paste puppet schema changes> >>>>>>> < paste DN entry for uid=hostadder,cn=sysaccounts,cn=etc... - a >>>>>>> service account used by puppet for adding hosts to IPA > >>>>>>> * login to web UI >>>>>>> * * Change home directory base, default shell, default SELinux user >>>>>>> * * Add SELinux user map for staff/sysadmin users >>>>>>> * * Add "user adder" permission/privilege/role for users who will be >>>>>>> able to create stageusers >>>>>>> >>>>>>> That's about as far as I got before I realized some of the plugin >>>>>>> pieces weren't working, and then fixed the python plugin followed by >>>>>>> working on the UI plugin and finding this problem. I'll go wipe and >>>>>>> reinstall the system again and walk through the steps, but test the >>>>>>> UI >>>>>>> first and in between to see if I can find which of the steps might be >>>>>>> causing things to hiccup. >>>>>>> >>>>>>> On Wed, Jan 25, 2017 at 1:42 PM, Pavel Vomacka <pvoma...@redhat.com> >>>>>>> wrote: >>>>>>>> >>>>>>>> Hello Steve, >>>>>>>> >>>>>>>> I tried to reproduce what you described on the very same version of >>>>>>>> ipa-server and I was not successful. Actually I was not used your >>>>>>>> back-end >>>>>>>> plugin. I tried it with no plugin and then with your UI plugin and >>>>>>>> both >>>>>>>> worked correctly. Did you do any other changes somewhere in your >>>>>>>> installation? >>>>>>>> >>>>>>>> I will try it again also with your Python plugin and we'll see. >>>>>>>> >>>>>>>> >>>>>>>> On 01/24/2017 08:59 PM, Steve Huston wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> And now I'm convinced this has nothing to do with my plugin and >>>>>>>>> instead is a bug somewhere in FreeIPA. >>>>>>>>> >>>>>>>>> I removed the entirety of the "astrocustom" plugin that I wrote, >>>>>>>>> restarted httpd, and force reloaded the page in chrome. I clicked >>>>>>>>> to >>>>>>>>> add a new user, gave the basic information, and clicked "add and >>>>>>>>> edit". The bottom of the page shows the "Employee information" on >>>>>>>>> the >>>>>>>>> left side bottom, and the manager drop-down is empty. I entered >>>>>>>>> '1' >>>>>>>>> in the "employee type" field and clicked save, and now "Employee >>>>>>>>> Information" is on the right side directly under "Contact >>>>>>>>> settings", >>>>>>>>> and the manager drop-down is populated with the list of UIDs on the >>>>>>>>> system. >>>>>>>>> >>>>>>>>> When the UI is in the failed state, the "email address" field is >>>>>>>>> also >>>>>>>>> blank, but when things switch to how they should be (after >>>>>>>>> submitting >>>>>>>>> a change) it is populated with the email address in the record. I >>>>>>>>> just tested by adding a telephone number to the record, and that >>>>>>>>> also >>>>>>>>> made the contact information and employee information facets >>>>>>>>> refresh >>>>>>>>> with the proper data. Pressing shift-reload again makes all the >>>>>>>>> information disappear (including the telephone number I just >>>>>>>>> entered). >>>>>>>>> >>>>>>>>> This is with ipa-server-4.4.0-14.el7_3.4 >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Jan 23, 2017 at 1:55 PM, Steve Huston >>>>>>>>> <hus...@astro.princeton.edu> wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Just tested again, and this is still baffling: >>>>>>>>>> >>>>>>>>>> * Create a stage user with the right data, works fine, can be >>>>>>>>>> edited. >>>>>>>>>> * Enable that user, and now the two fields ('manager' and >>>>>>>>>> 'employeeType') appear to have bogus data in the UI, and I cannot >>>>>>>>>> save >>>>>>>>>> the page without changing them to something else. >>>>>>>>>> * Once that user is saved, the "Employee Information" facet moves >>>>>>>>>> to >>>>>>>>>> the right side of the page, and now shows not only the current >>>>>>>>>> data in >>>>>>>>>> the manager drop down but also the other choices (uids). Change >>>>>>>>>> the >>>>>>>>>> value of manager and employeetype back to what they were >>>>>>>>>> previously >>>>>>>>>> and it saves. >>>>>>>>>> * An ldapsearch run when the user is first created (as the >>>>>>>>>> directory >>>>>>>>>> manager), and after having two edits (one to change the values to >>>>>>>>>> something else to let the webui save them, and one to change them >>>>>>>>>> back >>>>>>>>>> to what they should be and were the first time) produce completely >>>>>>>>>> identical results. >>>>>>>>>> * The output of "ipa user-show <uid> --all --raw" is also >>>>>>>>>> identical at >>>>>>>>>> those same steps. >>>>>>>>>> >>>>>>>>>> So something, somewhere, is being saved in a way that prevents the >>>>>>>>>> webui from displaying them properly, that gets fixed when those >>>>>>>>>> values >>>>>>>>>> are manually changed via the webui. >>>>>>>>>> >>>>>>>>>> On Thu, Jan 19, 2017 at 2:44 PM, Steve Huston >>>>>>>>>> <hus...@astro.princeton.edu> wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Even more interesting... >>>>>>>>>>> >>>>>>>>>>> I tried to modify one of the records that was not displaying >>>>>>>>>>> properly >>>>>>>>>>> in the "active users" group, and sure enough the webui complained >>>>>>>>>>> that >>>>>>>>>>> the "Requested By" (relabeled "manager") field was not filled in >>>>>>>>>>> since >>>>>>>>>>> it was blank. It also, however, complained that the "User tier" >>>>>>>>>>> (relabeled "employeetype") was incorrect, even though it showed >>>>>>>>>>> the >>>>>>>>>>> label associated with the value 1. I clicked the search >>>>>>>>>>> drop-down for >>>>>>>>>>> manager, typed in my own uid, and even though everything had been >>>>>>>>>>> blank in the drop down before now my uid showed up. I clicked on >>>>>>>>>>> it, >>>>>>>>>>> and my uid was now in the manager field. I then clicked the drop >>>>>>>>>>> down >>>>>>>>>>> for employeetype, and chose one of the other options. I was now >>>>>>>>>>> able >>>>>>>>>>> to save the changes to the record. >>>>>>>>>>> >>>>>>>>>>> Upon reloading the page, the "Employee Information" facet now >>>>>>>>>>> shoed up >>>>>>>>>>> on the right side bottom, instead of the left side bottom where >>>>>>>>>>> it was >>>>>>>>>>> appearing. I was also now able to change the drop-down fields >>>>>>>>>>> for >>>>>>>>>>> manager and employeetype to another value, and save them, and >>>>>>>>>>> they >>>>>>>>>>> worked fine even filling in all the data that should have been >>>>>>>>>>> there. >>>>>>>>>>> This almost seemed like the data being returned by the server was >>>>>>>>>>> flawed somehow, and confusing the webui, but once it was forced >>>>>>>>>>> to >>>>>>>>>>> have the right data and re-saved it worked fine subsequently. >>>>>>>>>>> >>>>>>>>>>> I looked at the output of "ipa user-show <uid> --all --raw" both >>>>>>>>>>> before and after making such changes on a user, and can detect no >>>>>>>>>>> difference between them. >>>>>>>>>>> >>>>>>>>>>> On Thu, Jan 19, 2017 at 1:14 PM, Alexander Bokovoy >>>>>>>>>>> <aboko...@redhat.com> >>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On to, 19 tammi 2017, Steve Huston wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Thu, Jan 19, 2017 at 11:16 AM, Alexander Bokovoy >>>>>>>>>>>>> <aboko...@redhat.com> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> In short, FreeIPA 4.2 -> 4.4 change was by splitting server >>>>>>>>>>>>>> and >>>>>>>>>>>>>> client >>>>>>>>>>>>>> side plugins into different paths (ipaserver/plugins and >>>>>>>>>>>>>> ipaclient/plugins instead of being common in ipalib/plugins). >>>>>>>>>>>>>> The >>>>>>>>>>>>>> client >>>>>>>>>>>>>> code was also changed to always read metadata about API from >>>>>>>>>>>>>> the >>>>>>>>>>>>>> server >>>>>>>>>>>>>> side. This means the client can adopt to any server version >>>>>>>>>>>>>> that >>>>>>>>>>>>>> supports API metadata. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Right, and I think that the most of the plugin I had belongs >>>>>>>>>>>>> server-side; in fact, that's where I migrated it to, and things >>>>>>>>>>>>> work >>>>>>>>>>>>> fine. I haven't tested if I can change those values with the >>>>>>>>>>>>> cli, but >>>>>>>>>>>>> I'm less concerned about that at the moment. >>>>>>>>>>>>> >>>>>>>>>>>>>> In my sample external plugin you referenced above you can see >>>>>>>>>>>>>> that I >>>>>>>>>>>>>> have client-side change that replaces an input string by a >>>>>>>>>>>>>> file >>>>>>>>>>>>>> reference so that a file can supplied instead of typing the >>>>>>>>>>>>>> content >>>>>>>>>>>>>> of >>>>>>>>>>>>>> the file on the command line. This is one of most used >>>>>>>>>>>>>> patterns for >>>>>>>>>>>>>> client side plugins. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> In this case, my biggest problem is with the web UI. The >>>>>>>>>>>>> 'manager' >>>>>>>>>>>>> drop down (which I have renamed through the UI plugins to >>>>>>>>>>>>> "Requested >>>>>>>>>>>>> By" to show what user requested and is responsible for this >>>>>>>>>>>>> account) >>>>>>>>>>>>> works fine in the 'add/modify stageuser' context, but not at >>>>>>>>>>>>> all in >>>>>>>>>>>>> the adduser/moduser context, and I can't seem to find out why. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> I'll defer answer for this to our web UI wizards but they would >>>>>>>>>>>> need to >>>>>>>>>>>> see your code to help, I'd guess. >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> / Alexander Bokovoy >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & >>>>>>>>>>> Astrophysical Sci >>>>>>>>>>> Princeton University | ICBM Address: 40.346344 >>>>>>>>>>> -74.652242 >>>>>>>>>>> 345 Lewis Library |"On my ship, the Rocinante, wheeling >>>>>>>>>>> through >>>>>>>>>>> Princeton, NJ 08544 | the galaxies; headed for the heart of >>>>>>>>>>> Cygnus, >>>>>>>>>>> (267) 793-0852 | headlong into mystery." -Rush, >>>>>>>>>>> 'Cygnus X-1' >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical >>>>>>>>>> Sci >>>>>>>>>> Princeton University | ICBM Address: 40.346344 -74.652242 >>>>>>>>>> 345 Lewis Library |"On my ship, the Rocinante, wheeling >>>>>>>>>> through >>>>>>>>>> Princeton, NJ 08544 | the galaxies; headed for the heart of >>>>>>>>>> Cygnus, >>>>>>>>>> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus >>>>>>>>>> X-1' >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Pavel^3 Vomacka >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical >>>>>>> Sci >>>>>>> Princeton University | ICBM Address: 40.346344 -74.652242 >>>>>>> 345 Lewis Library |"On my ship, the Rocinante, wheeling through >>>>>>> Princeton, NJ 08544 | the galaxies; headed for the heart of >>>>>>> Cygnus, >>>>>>> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus >>>>>>> X-1' >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci >>>>>> Princeton University | ICBM Address: 40.346344 -74.652242 >>>>>> 345 Lewis Library |"On my ship, the Rocinante, wheeling through >>>>>> Princeton, NJ 08544 | the galaxies; headed for the heart of >>>>>> Cygnus, >>>>>> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci >>>>> Princeton University | ICBM Address: 40.346344 -74.652242 >>>>> 345 Lewis Library |"On my ship, the Rocinante, wheeling through >>>>> Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, >>>>> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' >>>> >>>> >>>> >>>> >>>> -- >>>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci >>>> Princeton University | ICBM Address: 40.346344 -74.652242 >>>> 345 Lewis Library |"On my ship, the Rocinante, wheeling through >>>> Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, >>>> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' >>> >>> >>> >>> >>> -- >>> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci >>> Princeton University | ICBM Address: 40.346344 -74.652242 >>> 345 Lewis Library |"On my ship, the Rocinante, wheeling through >>> Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, >>> (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' >> >> >> >> >
-- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project