No connection to IPA - failure to retrieve JSON

[PabloVed]

Hello,

I'm trying to connect FreeIPA 4.8.6, API_VERSION: 2.236 with Midpoint 4.4 using this connector, ver 1.0.1.0. Currently stuck at following:

Operation Connector initialization (Ucf) Message org.json.JSONException(A JSONObject text must begin with '{' at 1 [character 2 line 1]) Context connector [connector:e38e3004-dcac-4615-b407-58ef66659787(ConnId io.artin.idm.connector.freeipa.FreeIpaConnector v1.0.1.0)] implementationClass [class com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnectorFactoryConnIdImpl] Error org.json.JSONException(A JSONObject text must begin with '{' at 1 [character 2 line 1])

Connector configuration:

rest.config.trustAllCertificates: True
password.display: password is set
serviceAddress.display: https://10.20.0.8/ipa
authMethod.display: NONE
username.display: idm

According to TRACE message:

2022-01-22 09:57:19,908 [] [http-nio-8080-exec-4] TRACE (io.artin.idm.connector.freeipa.FreeIpaConnector): method: null msg:Result body: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://example.com/ipa/session/json">here</a>.</p>
<hr>
<address>Apache/2.4.46 (Unix) mod_auth_gssapi/1.6.1 OpenSSL/1.1.1k mod_wsgi/4.6.5 Python/3.7 Server at 10.20.0.8 Port 443</address>
</body></html>

But if I'm changing serviceAddress.display parameter to comply with link to json (and it points to other location couple of times), in the end I'm receiving following:

2022-01-22 10:02:25,125 [] [http-nio-8080-exec-1] INFO (com.evolveum.midpoint.provisioning.impl.ConnectorManager): Created new connector instance for ConnectorSpec(resource:d84f7f0d-19f2-4f9c-822a-a999a47856ff(FreeIPA), name=null, oid=e38e3004-dcac-4615-b407-58ef66659787): io.artin.idm.connector.freeipa.FreeIpaConnector v1.0.1.0
2022-01-22 10:02:25,128 [] [http-nio-8080-exec-1] DEBUG (io.artin.idm.connector.freeipa.FreeIpaConnector): method: null msg:Initializing FreeIpaConnector connector instance io.artin.idm.connector.freeipa.FreeIpaConnector@58de7f07
2022-01-22 10:02:25,129 [] [http-nio-8080-exec-1] DEBUG (io.artin.idm.connector.freeipa.FreeIpaConnector): method: null msg:json request: 
{"method":"schema","id":"0","params":[[],{"version":"2.117"}]}
2022-01-22 10:02:25,142 [] [http-nio-8080-exec-1] WARN (io.artin.idm.connector.freeipa.FreeIpaConnector): method: null msg:401 - no cookie detected need to connect
2022-01-22 10:02:25,157 [] [http-nio-8080-exec-1] WARN (com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil): Got ConnId exception (might be handled by upper layers later) java.lang.IndexOutOfBoundsException in connector:e38e3004-dcac-4615-b407-58ef66659787(ConnId io.artin.idm.connector.freeipa.FreeIpaConnector v1.0.1.0): ConnectorSpec(resource:d84f7f0d-19f2-4f9c-822a-a999a47856ff(FreeIPA), name=null, oid=e38e3004-dcac-4615-b407-58ef66659787): Index 0 out of bounds for length 0, reason: Index 0 out of bounds for length 0 (class java.lang.IndexOutOfBoundsException)
2022-01-22 10:02:25,157 [] [http-nio-8080-exec-1] INFO (com.evolveum.midpoint.provisioning.impl.ResourceOperationalStateManager): Availability status set to BROKEN for resource d84f7f0d-19f2-4f9c-822a-a999a47856ff because testing connection using ConnectorSpec(resource:d84f7f0d-19f2-4f9c-822a-a999a47856ff(FreeIPA), name=null, oid=e38e3004-dcac-4615-b407-58ef66659787) failed while testing configuration: Index 0 out of bounds for length 0

Unabridged TRACE log attached. Ipa_connector.log

[gpalos]

Hi Pablo, I created a new section ##Debugging in documentation, can you please verify if your IPA user used for midPoint has required permissions and not need to change password at first logon? We tested current connector with MP v 4.4 and working well with older FreeIPA version.

[PabloVed]

Okay, did a bit of digging around with help of @gpalos Managed to make my connector work correctly. Will post my finding here, in case some lost soul will have same problem.

1) in connector options, option serviceAddress.display, instead of ip address to freeipa better use fqdn for ipa server. (https://ipa.example.com/ipa) 2) Before testing connection on midpoint side - locate and edit ipa-rewrite.conf ( in my case -/etc/httpd2/conf/extra-enabled/ipa-rewrite.conf) Add # at start of every line with 301 error. This will kill ipa web-interface, but we'll fix it after testing successful connection. Restart ipa with ipactl restart command. (I don't think this whole step is really necessary, but I did it just to make sure nothing interfere with connector.) 3) Test connection for FreeIPA, fix connector options if necessary. You must connect successfully. 4) Run ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif and 'systemctl restart httpd2.service' to disable kerberos proxy for ldap. As I understand, this might be the source of problem - connector currently does not handle kerberos. 5) Revert changes made on step 2 - cause having working FreeIPA web-interface is nice. :) Don't forget to ipactl restart. 6) Test connector on midpoint side, check if you can access FreeIPA web-interface, check if users from midpoint correctly provisioned to FreeIPA.

[Desperion]

Okay, did a bit of digging around with help of @gpalos Managed to make my connector work correctly. Will post my finding here, in case some lost soul will have same problem.

1. in connector options, option serviceAddress.display, instead of ip address to freeipa better use fqdn for ipa server. (https://ipa.example.com/ipa)
2. Before testing connection on midpoint side - locate and edit ipa-rewrite.conf ( in my case -/etc/httpd2/conf/extra-enabled/ipa-rewrite.conf) Add # at start of every line with 301 error. This will kill ipa web-interface, but we'll fix it after testing successful connection. Restart ipa with ipactl restart command. (I don't think this whole step is really necessary, but I did it just to make sure nothing interfere with connector.)
3. Test connection for FreeIPA, fix connector options if necessary. You must connect successfully.
4. Run ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif and 'systemctl restart httpd2.service' to disable kerberos proxy for ldap. As I understand, this might be the source of problem - connector currently does not handle kerberos.
5. Revert changes made on step 2 - cause having working FreeIPA web-interface is nice. :) Don't forget to ipactl restart.
6. Test connector on midpoint side, check if you can access FreeIPA web-interface, check if users from midpoint correctly provisioned to FreeIPA.

Found this thread while having the same issue, but these steps didn't help :( Getting the "Index 0 out of bounds for length 0" exception, just like the one mentioned above.

[PabloVed]

Hello there! Sadly, I won't be able to check - after the start of the war I got relocated and rehired to other project.

As far as I remember - we made it work thanks to your help.

But it is great to hear you've updated it.

ср, 26 янв. 2022 г., 06:05 gpalos @.***>:

Hi Pablo, I created a new section ##Debugging in documentation, can you please verify if your IPA user used for midPoint has required permissions and not need to change password at first logon? We tested current connector with MP v 4.4 and working well with older FreeIPA version.

— Reply to this email directly, view it on GitHub https://github.com/artinsolutions/midpoint-connector-freeipa/issues/3#issuecomment-1021865699, or unsubscribe https://github.com/notifications/unsubscribe-auth/AH7BCZ2XEZLRNEM4JR6VDJ3UX56IJANCNFSM5MRYJ2LQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you authored the thread.Message ID: @.***>