Error Contacting FreeIPA

[kiranshila]

Opening a new issue for this:

I can create users, and I see them get populated in FreeIPA, but when I try to login - the site pauses for a bit and displays Error contacting FreeIPA.

I spent about a day yesterday trying to get it to work after struggling trying to get PWM to work, but failing on getting the LDAP schemas to register.

Things I have tried

I have run this on both the same IPA server and an IPA client. While running on the ipa server, I could not access the panel remotely, a la #44 .

On the client, I could bring up the panel and things seemed to work at first, but I couldn't register users. I had a problem with the encryption key and saw your comments in some other issues on how to generate them.

Updating the encryption keys, I got to the place where I am now, where I just get the cryptic message at the top and zero logs, even in debug mode.

The IP is bound to 0.0.0.0 as it is just running on a ubuntu client vm on my network.

I have tried the latest rpm release as well as building from source. By the way, it doesn't seem to compile with go v1.14.

[aebruno]

What freeipa version are you running? What distro is the freeipa server running on?

[kiranshila]

FreeIPA 4.8.6 on Fedora 31

[aebruno]

FreeIPA 4.8.6 on Fedora 31

Great, thanks. We do most all of our testing/development on FreeIPA versions shipped with RHEL/CentOS which is currently FreeIPA version 4.6.6. If it's possible, I suggest using this version with mokey as it will be much better supported.

I'll try testing mokey out on a fedora vm running 4.8.6 and see if I can reproduce your issue.

[kiranshila]

Thank you for testing! I'm just running a little intranet for my business of less than 10 people, not a big corporate environment or anything, so I have just been updating when it when a new version comes out.

[aebruno]

By the way, it doesn't seem to compile with go v1.14.

This is building fine for me with go 1.14.4:

$ go version
go version go1.14.4 linux/amd64

What errors are you seeing?

[kiranshila]

Oh weird, I can try to run it again, but rolling back to 1.13 worked for me. I can chock that one up to user configuration error on my part and take your word for it that it does in fact work on 1.14

[kiranshila]

@aebruno Any success on the fedora vm?

[aebruno]

@kiranshila Are you running mokey on the same host as your freeipa server?

[kiranshila]

No I was not, I could not get the page to load when accessed from an external machine. I made a new VM ipa client just to run it.

[aebruno]

I ran some quick tests on CentOS 8 running freeipa version 4.8.4 and all works fine for me. I was able to create users and login. So we may have to do some more digging. Can you verify this file exists /etc/ipa/default.conf and contains the following lines:

server = freepia-test.test.yourdomain.com
realm = TEST.YOUR.DOMAIN.COM

Also, just to confirm:

1. You can get to mokey (i.e. the home page logs with a the login form)

2. You can successfully sign up a new user?

3. After that you can't login? The page just hangs?

[kiranshila]

Yep, contents look good for the ipa conf

#File modified by ipa-client-install

[global]
basedn = dc=lab,dc=gondor,dc=dev
realm = LAB.GONDOR.DEV
domain = lab.gondor.dev
server = ipa.lab.gondor.dev
host = mokey.lab.gondor.dev
xmlrpc_uri = https://ipa.lab.gondor.dev/ipa/xml
enable_ra = True

I register a new user, and it works fine - I check in the freeIPA panel and I can see the added user I then go to login with the same user and password and get this

[kiranshila]

And there are no logs, even with --debug upon login failure

[kiranshila]

When I type in the wrong password, it gives an invalid password error and logs it appropriately, so it is validating the password

[aebruno]

Great, thanks for the additional info.

[kiranshila]

Thanks for helping! I feel like we're close to figuring this out. Please let me know if you want me to test anything.

[aebruno]

I can reproduce this on fedora 31 freeipa version 4.8.6. Give me a few days to sort out a fix and best way to support the newer versions of freeipa while maintaining compatibility with rhel/centos.

[kiranshila]

Ooh interesting, implying it might be a Fedora issue?

[aebruno]

Just released v0.5.4. Can you test this out and see if it fixes your issue? This version works well for me on fedora 31 with freeipa v4.8.6.

Thanks again for your help debugging this.

[kiranshila]

Fixed! Incredible work, thank you so much!

[tim-skillcafe]

For info: have tested 0.5.6-1.el7.x86_64 on a Fedora 34 VM (school lab) and in a F34 Docker container (home lab). Works nicely.