freeipa/contrib
Christian Heimes e9ae7c4b89 lite-setup: configure lite-server test env
Introduce a script that configures a local testing environment
with ipa default.conf, krb5.conf, and ca.crt from a server hostname.

The lite server configuration allows easy and convenient testing of
IPA server and client code. It uses an existing 389-DS and KRB5 KDC
server on another machine:

    $ contrib/lite-setup.py master.ipa.example
    $ source ~/.ipa/activate.sh
    (ipaenv) $ kinit username
    (ipaenv) $ make lite-server

IPA server UI is available on http://localhost:8888/ipa/

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-01-24 08:35:47 -05:00
..
completion Build: integrate contrib directory into build system 2016-11-09 13:08:32 +01:00
copy-schema-to-ca-RHEL6.py Update mod_nss cipher list so there is overlap with a 4.x master 2019-02-04 09:12:29 +01:00
lgtm_container.py Improve Python configuration for LGTM 2018-10-26 18:04:23 +02:00
lite-server.py lite-setup: configure lite-server test env 2020-01-24 08:35:47 -05:00
lite-setup.py lite-setup: configure lite-server test env 2020-01-24 08:35:47 -05:00
Makefile.am Remove contrib/nssciphersuite 2018-04-30 19:39:52 +02:00
README.md lite-setup: configure lite-server test env 2020-01-24 08:35:47 -05:00

In-tree development debugging and testing

lite-server and lite-client enable fast development, debugging, and performance analysis of server or client code from an in-tree source directory. The lite-server runs a local web server that uses a remote LDAP and KRB5 server.

Prerequisites

Remote IPA server

Lite-server and lite-client require a running IPA server. The server should have a similar LDAP schema and IPA version as the in-tree sources. Some features may not work if the differences are too great.

The lite-server only needs a working LDAP server and KRB5 server. For KdcProxy or CA-related features the Apache HTTPd and pki-tomcatd service must be running, too.

If the lite-client is configured for remote-server instead of lite-server, then the lite-client uses the HTTP API of the remote server.

Local setup

  1. Configure and build FreeIPA according to BUILD.txt, TL;DR
$ sudo dnf builddep -b --spec freeipa.spec.in --best --allowerasing --setopt=install_weak_deps=False
$ ./autogen.sh
$ make
  1. Install additional dependencies for the lite-server
sudo dnf install -y python3-werkzeug python3-watchdog
  1. The FQDN of the remote IPA server must be resolvable. In case the server does not have a valid DNS entry, it is possible to add the hostname and IP address to /etc/hosts.

  2. Create configuration files in ~/.ipa. The lite-server requires an IPA configuration, CA certificate file, KRB5 configuration, Kerberos TGT and a file based credential cache. The script contrib/lite-setup.py can create a all necessary files for you and sets up default.conf, krb5.conf, ca.crt, and even ldap.conf:

$ contrib/lite-setup.py master.ipa.example
  1. Setup environment variables: the lite-setup script also creates a shell source file that activates a virtualenv like environment. The source files sets several environment variables for PATH, KRB5, LDAP, IPA, and Python. The env allows you to run the lite server, ipa client commands, or OpenLDAP commands:
$ source ~/.ipa/activate.sh
  1. Acquire a TGT
(ipaenv) $ kinit username
  1. Run the lite-server
(ipaenv) $ make lite-server
  1. Run ipa client commands in another shell session. The lite-setup scripts provides a wrapper that uses the development sources, too.
$ source ~/.ipa/activate.sh
(ipaenv) $ which ipa
~/.ipa/ipa
(ipaenv) $ ipa ping
  1. Deactivate the environment
(ipaenv) $ deactivate_ipaenv

Limitations

The lite-server does not have access to the ra-agent certificate. Therefore most CA and KRA (vault) operations are not supported.

Tricks and tips

The lite-server has a functional Web UI at http://localhost:8888/ipa/xml. The session is already authenticated with the current TGT.

The lite-setup script has additional options

  • --kdcproxy configures krb5.conf for Kerberos over HTTPS
  • --debug enables IPA and KRB5 debugging
  • --remote-server lets you run local client commands without a local lite-server.

The make lite-server command supports arguments like PYTHON=/path/to/custom/interpreter or LITESERVER_ARGS='--enable-profiler=-'.

By default the dev server supports HTTP only. To switch to HTTPS, you can put a PEM file at ~/.ipa/lite.pem. The PEM file must contain a server certificate, its unencrypted private key and intermediate chain certs (if applicable).