[Freeipa-devel] [PATCHES] 0191-0195 Use ipaldap in the client installer & password migration

Petr Viktorin pviktori at redhat.com
Tue Mar 12 09:10:08 UTC 2013 

On 03/11/2013 02:56 PM, Martin Kosek wrote:
> On 03/11/2013 01:48 PM, Jan Cholasta wrote:
>> On 11.3.2013 13:43, Petr Viktorin wrote:
>>> On 03/11/2013 01:13 PM, Jan Cholasta wrote:
>>>> On 8.3.2013 14:14, Petr Viktorin wrote:
>>>>> On 03/07/2013 05:42 PM, Jan Cholasta wrote:
>>>>>> Patch 191:
>>>>>>
>>>>>> The patch is missing the ipapython/ipaldap.py file.
>>>>
>>>> On 7.3.2013 18:29, Petr Viktorin wrote:
>>>>  > It's there, it's just copied from ipaserver/ipaldap.py with a small
>>>>  > change at the bottom.
>>>>
>>>> There is no sign of the file, except in the patch header and the patch
>>>> cannot be applied with git am nor with git apply. But perhaps I'm doing
>>>> something wrong.
>>>
>>> Attaching a re-formatted version of the patch.
>>>
>>> [...]
>>>> ACK.
>>>>
>>>> Honza
>>>>
>>>
>>>
>>
>> ACK for real.
>>
>> Honza
>>
>
> I would not want to rush this, I still see errors:
>
> 1) ipa-ldap-updater is broken:
>
> # ipa-ldap-updater --upgrade
> Upgrading IPA:
>    [1/8]: stopping directory server
>    [2/8]: saving configuration
>    [3/8]: disabling listeners
>    [4/8]: starting directory server
>    [5/8]: upgrading server
> Upgrade failed with 'NameSpace' object has no attribute 'ldap2'
>    [6/8]: stopping directory server
>    [7/8]: restoring configuration
>    [8/8]: starting directory server
> Done.
> IPA upgrade failed.

Thanks for the catch!

This is a symptom of the fact the plugins attach themselves to the 
default API object as soon as they're imported.
Before, ipaldap imported ldap2, so the ldap2 server plugin was magically 
available whenever ipaldap was imported before.
Now, ldap2 needs to be imported explicitly if api.Backend.ldap2 needs to 
be available.

> 2) What's the purpose of this new error?
>
> +class DatabaseTimeout(DatabaseError):
> +    """
> +    **4211** Raised when an LDAP call times out
> +
> +    For example:
> +
> +    >>> raise DatabaseTimeout()
> +    Traceback (most recent call last):
> +      ...
> +    DatabaseTimeout: LDAP timeout
> +    """
> +
> +    errno = 4211
> +    format = _('LDAP timeout')

Thanks for this catch too, I mis-squashed the code to raise it.

> It is not raised anywhere (as far as I can see). BTW I assume it is not
> related to errors.LimitsExceeded in any way, right?

No, it's timeout in the client↔server communication rather than the LDAP 
operation. It wraps ldap.TIMEOUT rather than ldap.TIMELIMIT_EXCEEDED.

> 3) Client installation no longer works if the server has disabled
> anonymous authentication:
>
> # ipa-client-install
> Error checking LDAP: Inappropriate authentication: Anonymous access is
> not allowed.
> DNS discovery failed to determine your DNS domain
> Provide the domain name of your IPA server (ex: example.com): ^C

I couldn't reproduce this. But I did find some misleading log messages 
in this case. It work well now.

> 4) I suddenly cannot run some tests, looks like import loop:
>
> # ./make-test tests/test_xmlrpc/test_host_plugin.py
> /usr/bin/nosetests -v --with-doctest --doctest-tests --exclude=plugins
> tests/test_xmlrpc/test_host_plugin.py
> Failure: ImportError (cannot import name ipautil) ... ERROR
>
> ======================================================================
> ERROR: Failure: ImportError (cannot import name ipautil)
> ----------------------------------------------------------------------
> Traceback (most recent call last):
>    File "/usr/lib/python2.7/site-packages/nose/loader.py", line 390, in
> loadTestsFromName
>      addr.filename, addr.module)
>    File "/usr/lib/python2.7/site-packages/nose/importer.py", line 39, in
> importFromPath
>      return self.importFromDir(dir_path, fqname)
>    File "/usr/lib/python2.7/site-packages/nose/importer.py", line 86, in
> importFromDir
>      mod = load_module(part_fqname, fh, filename, desc)
>    File "/root/freeipa-master/tests/test_xmlrpc/test_host_plugin.py",
> line 27, in <module>
>      from ipapython import ipautil
>    File "/root/freeipa-master/ipapython/ipautil.py", line 52, in <module>
>      from ipalib import errors
>    File "/root/freeipa-master/ipalib/__init__.py", line 930, in <module>
>      api.finalize()
>    File "/root/freeipa-master/ipalib/plugable.py", line 674, in finalize
>      self.__do_if_not_done('load_plugins')
>    File "/root/freeipa-master/ipalib/plugable.py", line 454, in
> __do_if_not_done
>      getattr(self, name)()
>    File "/root/freeipa-master/ipalib/plugable.py", line 613, in
> load_plugins
>      self.import_plugins('ipalib')
>    File "/root/freeipa-master/ipalib/plugable.py", line 655, in
> import_plugins
>      __import__(fullname)
>    File "/root/freeipa-master/ipalib/plugins/cert.py", line 30, in <module>
>      from ipalib import pkcs10
>    File "/root/freeipa-master/ipalib/pkcs10.py", line 24, in <module>
>      from ipapython import ipautil
> ImportError: cannot import name ipautil

Gasp... I have no idea how we didn't catch this earlier.
Simplifying a bit, it's partly due to the fact that ipalib does a lot of 
work on import in __init__ -- including loading plugins that assume 
ipalib's already set up.

I've deferred the import, and added a FIXME.


Thank you for retesting!
Updated patches attached.

-- 
Petr³

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0191.3-Move-ipaldap-to-ipapython.patch
Type: text/x-patch
Size: 140395 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130312/02b0856e/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0192.3-Remove-ipaserver-ipaldap.py.patch
Type: text/x-patch
Size: 12374 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130312/02b0856e/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0193.3-Use-IPAdmin-rather-than-raw-python-ldap-in-ipa-clien.patch
Type: text/x-patch
Size: 6690 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130312/02b0856e/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0194.3-Use-IPAdmin-rather-than-raw-python-ldap-in-migration.patch
Type: text/x-patch
Size: 20118 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130312/02b0856e/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0195.3-Remove-unneeded-python-ldap-imports.patch
Type: text/x-patch
Size: 11302 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130312/02b0856e/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pviktori-0196.3-Don-t-download-the-schema-in-ipadiscovery.patch
Type: text/x-patch
Size: 1257 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130312/02b0856e/attachment-0005.bin>

More information about the Freeipa-devel mailing list