[LDAP] Does LDAPUserFolder work with Zope 2.6.0?
Can anybody confirm that LDAPUserFolder (1.6 beta 2) works ok with Zope 2.6.0? The docs mention it working with 2.5, but make no mention of 2.6. I am having some major issues) described below, which seem to stop me from being able to run it at all. I am running RedHat 7.3, openldap-clients-2.0.23-4, python-ldap-2.0.0pre06, and am trying to use LDAPUserFolder 1.6 beta 2. I have installed pythin-ldap for the copy of python included in my zope install, and have verified that I am able to connect to the LDAP server (MS Active Directory in this case), so there are no issues at that level as far as I can tell. When I try to add an instance of the LDAPUserFolder, pressing the 'add' button results in a 'hang', with my browser never coming back. If I am browsing the zope mangement tree, and then try to hit the folder with the ldapuserfolder also 'hangs'. If I shut down everything, and hit the management url again (coming in completely unauthenticated), then I get the browser id/password popup, and entering in a name and hitting enter will also result in a hang. I am able to go in via the zope admin/emergency use, and take a look at the ldapuserfolder, which seems to be ok, and kill it, etc. So as far as I can tell, LDAPUserfolder is simply hanging when it goes in and tries to do a lookup. There is no exception, and nothing put in the log. Any suggestions would be much appreciated... Colin
Hi Colin, On Mon, 25 Nov 2002, Colin Sampaleanu wrote:
Can anybody confirm that LDAPUserFolder (1.6 beta 2) works ok with Zope 2.6.0? The docs mention it working with 2.5, but make no mention of 2.6. I am having some major issues) described below, which seem to stop me from being able to run it at all.
It is working for me (Zope 2.6.0b1 (binary release, python 2.1, linux2-x86), python 2.1.3, linux2).
I am running RedHat 7.3, openldap-clients-2.0.23-4, python-ldap-2.0.0pre06, and am trying to use LDAPUserFolder 1.6 beta 2. I have installed pythin-ldap for the copy of python included in my zope install, and have verified that I am able to connect to the LDAP server (MS Active Directory in this case), so there are no issues at that level as far as I can tell.
Can you do that with python as well? Does an 'import ldap' work when you use the python your Zope runs with? However, I had to use python-ldap-2.0.0pre03-1.i386.rpm because I am using python 2.1.3.
When I try to add an instance of the LDAPUserFolder, pressing the 'add' button results in a 'hang', with my browser never coming back. If I am browsing the zope mangement tree, and then try to hit the folder with the ldapuserfolder also 'hangs'. If I shut down everything, and hit the management url again (coming in completely unauthenticated), then I get the browser id/password popup, and entering in a name and hitting enter will also result in a hang.
I am able to go in via the zope admin/emergency use, and take a look at the ldapuserfolder, which seems to be ok, and kill it, etc.
So as far as I can tell, LDAPUserfolder is simply hanging when it goes in and tries to do a lookup. There is no exception, and nothing put in the log.
Any suggestions would be much appreciated...
If all else fails: perhaps this one helps: http://www.geocrawler.com/archives/3/1568/2002/6/0/9027164/ Torsten -- Torsten Gipp http://www.uni-koblenz.de/~tgi Universitaet Koblenz-Landau tgi@ ___ _, . Institut fuer Softwaretechnik uni-koblenz.de | | _ | Postfach 201602 * 56016 Koblenz 2701 | !_/ |
Torsten Gipp wrote:
On Mon, 25 Nov 2002, Colin Sampaleanu wrote:
Can anybody confirm that LDAPUserFolder (1.6 beta 2) works ok with Zope 2.6.0? The docs mention it working with 2.5, but make no mention of 2.6. I am having some major issues) described below, which seem to stop me from being able to run it at all.
It is working for me (Zope 2.6.0b1 (binary release, python 2.1, linux2-x86), python 2.1.3, linux2).
I am running RedHat 7.3, openldap-clients-2.0.23-4, python-ldap-2.0.0pre06, and am trying to use LDAPUserFolder 1.6 beta 2. I have installed pythin-ldap for the copy of python included in my zope install, and have verified that I am able to connect to the LDAP server (MS Active Directory in this case), so there are no issues at that level as far as I can tell.
Can you do that with python as well? Does an 'import ldap' work when you use the python your Zope runs with?
However, I had to use python-ldap-2.0.0pre03-1.i386.rpm because I am using python 2.1.3.
Actually I meant that I am able to connect to it using python-ldap, using the python in my zope. So I can do a search through python-ldap, etc.
When I try to add an instance of the LDAPUserFolder, pressing the 'add' button results in a 'hang', with my browser never coming back. If I am browsing the zope mangement tree, and then try to hit the folder with the ldapuserfolder also 'hangs'. If I shut down everything, and hit the management url again (coming in completely unauthenticated), then I get the browser id/password popup, and entering in a name and hitting enter will also result in a hang.
I am able to go in via the zope admin/emergency use, and take a look at the ldapuserfolder, which seems to be ok, and kill it, etc.
So as far as I can tell, LDAPUserfolder is simply hanging when it goes in and tries to do a lookup. There is no exception, and nothing put in the log.
Any suggestions would be much appreciated...
If all else fails: perhaps this one helps:
Unfortunately I am not running LDAP on the same machine. I did consider the fact that perhaps this was the same issue, but the machine appears responsive otherwise. What is interesting is that after about 10 minutes it _does_ come back, saying that the user/credentials are not value. So LDAPUserFolder does not necessarilly think it has a problem, it just thinks there is an authenticaiton issue. Of course I would say if it takes 10 minutes there is a sever problem somewhere, never mind the fact that the authentication should work.. Colin
On 25 Nov 2002 at 17:07, Colin Sampaleanu wrote:
Unfortunately I am not running LDAP on the same machine. I did consider the fact that perhaps this was the same issue, but the machine appears responsive otherwise. What is interesting is that after about 10 minutes it _does_ come back, saying that the user/credentials are not value. So LDAPUserFolder does not necessarilly think it has a problem, it just thinks there is an authenticaiton issue. Of course I would say if it takes 10 minutes there is a sever problem somewhere, never mind the fact that the authentication should work..
Sounds like there is a firewall between the two systems, configured to drop packets rather than generate an ICMP port unreachable response. ipchains in the way? Brad Clements, bkc@murkworks.com (315)268-1000 http://www.murkworks.com (315)268-9812 Fax AOL-IM: BKClements
Brad Clements wrote:
On 25 Nov 2002 at 17:07, Colin Sampaleanu wrote:
Unfortunately I am not running LDAP on the same machine. I did consider the fact that perhaps this was the same issue, but the machine appears responsive otherwise. What is interesting is that after about 10 minutes it _does_ come back, saying that the user/credentials are not value. So LDAPUserFolder does not necessarilly think it has a problem, it just thinks there is an authenticaiton issue. Of course I would say if it takes 10 minutes there is a sever problem somewhere, never mind the fact that the authentication should work..
Sounds like there is a firewall between the two systems, configured to drop packets rather than generate an ICMP port unreachable response.
ipchains in the way?
No, they're on the same subnet, can can see each other fine. And python-ldap comes back from the query immediately, so there is no real ldap issue as far as I can tell, it is some sort of problem between LDAPUserFolder and python-ldap, more likely, or the way the LDAPUserFolder is doing its lookups...
if you know how to use the python debugger you could step through the code (starting in the validate method) to determine exactly where the lag is. strategically placed logging (print statements, logging calls) would also help. jens On Monday, Nov 25, 2002, at 18:14 US/Eastern, Colin Sampaleanu wrote:
Brad Clements wrote:
On 25 Nov 2002 at 17:07, Colin Sampaleanu wrote:
Unfortunately I am not running LDAP on the same machine. I did consider the fact that perhaps this was the same issue, but the machine appears responsive otherwise. What is interesting is that after about 10 minutes it _does_ come back, saying that the user/credentials are not value. So LDAPUserFolder does not necessarilly think it has a problem, it just thinks there is an authenticaiton issue. Of course I would say if it takes 10 minutes there is a sever problem somewhere, never mind the fact that the authentication should work..
Sounds like there is a firewall between the two systems, configured to drop packets rather than generate an ICMP port unreachable response.
ipchains in the way?
No, they're on the same subnet, can can see each other fine. And python-ldap comes back from the query immediately, so there is no real ldap issue as far as I can tell, it is some sort of problem between LDAPUserFolder and python-ldap, more likely, or the way the LDAPUserFolder is doing its lookups...
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Could this be happening because the directory server is returning a search result with a continuation reference? I have been hitting the server with a java program, and have seen that it is returning a search result with one (valid) entry, for the user, but there is also a continuation reference of "" coming back as part of that result. Now looking into this, this is supposed to happen when you do a search against Active Directory which crosses domains, and you are not hitting an Active Directory Catalog Master (basically an instance of the server which has not been set up a catalog master, having multi-domain information). I am definitely hitting a catalog master, but it is still returning the "" continuation, so something weird is going on. My hunch, in any case (and I may be completely off) is that maybe LDAPUserfolder does not know what to do with the continuation reference. Could this be it? Jens Vagelpohl wrote:
if you know how to use the python debugger you could step through the code (starting in the validate method) to determine exactly where the lag is. strategically placed logging (print statements, logging calls) would also help.
jens
On Monday, Nov 25, 2002, at 18:14 US/Eastern, Colin Sampaleanu wrote:
Brad Clements wrote:
On 25 Nov 2002 at 17:07, Colin Sampaleanu wrote:
Unfortunately I am not running LDAP on the same machine. I did consider the fact that perhaps this was the same issue, but the machine appears responsive otherwise. What is interesting is that after about 10 minutes it _does_ come back, saying that the user/credentials are not value. So LDAPUserFolder does not necessarilly think it has a problem, it just thinks there is an authenticaiton issue. Of course I would say if it takes 10 minutes there is a sever problem somewhere, never mind the fact that the authentication should work..
Sounds like there is a firewall between the two systems, configured to drop packets rather than generate an ICMP port unreachable response.
ipchains in the way?
No, they're on the same subnet, can can see each other fine. And python-ldap comes back from the query immediately, so there is no real ldap issue as far as I can tell, it is some sort of problem between LDAPUserFolder and python-ldap, more likely, or the way the LDAPUserFolder is doing its lookups...
colin, i's like to take a close look at this. is there any way i could... a) get access to the box where you run zope so i could step through the LDAPUserFolder code myself (the goal is to determine exactly what it is that the LDAP server does during the "hang") b) connect to the LDAP server from here with the settings that you use yourself and try to replicate and debug the problem myself please let me know (off the list) jens On Thursday, Nov 28, 2002, at 16:04 US/Eastern, Colin Sampaleanu wrote:
Could this be happening because the directory server is returning a search result with a continuation reference? I have been hitting the server with a java program, and have seen that it is returning a search result with one (valid) entry, for the user, but there is also a continuation reference of "" coming back as part of that result. Now looking into this, this is supposed to happen when you do a search against Active Directory which crosses domains, and you are not hitting an Active Directory Catalog Master (basically an instance of the server which has not been set up a catalog master, having multi-domain information). I am definitely hitting a catalog master, but it is still returning the "" continuation, so something weird is going on. My hunch, in any case (and I may be completely off) is that maybe LDAPUserfolder does not know what to do with the continuation reference. Could this be it?
Jens Vagelpohl wrote:
if you know how to use the python debugger you could step through the code (starting in the validate method) to determine exactly where the lag is. strategically placed logging (print statements, logging calls) would also help.
jens
On Monday, Nov 25, 2002, at 18:14 US/Eastern, Colin Sampaleanu wrote:
Brad Clements wrote:
On 25 Nov 2002 at 17:07, Colin Sampaleanu wrote:
Unfortunately I am not running LDAP on the same machine. I did consider the fact that perhaps this was the same issue, but the machine appears responsive otherwise. What is interesting is that after about 10 minutes it _does_ come back, saying that the user/credentials are not value. So LDAPUserFolder does not necessarilly think it has a problem, it just thinks there is an authenticaiton issue. Of course I would say if it takes 10 minutes there is a sever problem somewhere, never mind the fact that the authentication should work..
Sounds like there is a firewall between the two systems, configured to drop packets rather than generate an ICMP port unreachable response.
ipchains in the way?
No, they're on the same subnet, can can see each other fine. And python-ldap comes back from the query immediately, so there is no real ldap issue as far as I can tell, it is some sort of problem between LDAPUserFolder and python-ldap, more likely, or the way the LDAPUserFolder is doing its lookups...
Colin Sampaleanu writes:
.... When I try to add an instance of the LDAPUserFolder, pressing the 'add' button results in a 'hang', with my browser never coming back. If I am browsing the zope mangement tree, and then try to hit the folder with the ldapuserfolder also 'hangs'. If I shut down everything, and hit the management url again (coming in completely unauthenticated), then I get the browser id/password popup, and entering in a name and hitting enter will also result in a hang. I have seen this behavious before.
It has been caused by an ill configured LDAP Userfolder instance. When tracked it down by profiling Zope and we found out that all the time was spent in the "connect" method. Dieter
participants (6)
-
Brad Clements -
Colin Sampaleanu -
Colin Sampaleanu -
Dieter Maurer -
Jens Vagelpohl -
Torsten Gipp