Michal Rejda wrote: >> Michal Rejda wrote: >> >>>> Michal Rejda wrote: >>>> >>>> >>>>>> Michal Rejda wrote: >>>>>> >>>>>> >>>>>> >>>>>>>> Michal Rejda wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>> Michal Rejda wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>> From: fedora-directory-users-bounces at redhat.com >>>>>>>>>>>> >>>>>>>>>>>> >>>> [mailto:fedora- >>>> >>>> >>>>>>>>>>>> directory-users-bounces at redhat.com] On Behalf Of Rich >>>>>>>>>>>> >>>>>>>>>>>> >>>> Megginson >>>> >>>> >>>>>>>>>>>> Sent: Tuesday, April 14, 2009 4:25 PM >>>>>>>>>>>> To: General discussion list for the Fedora Directory server >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>> project. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>> Subject: Re: LDAP proxy >>>>>>>>>>>> >>>>>>>>>>>> Michal Rejda wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> I tried to use http://tinyurl.com/culeft. But the database >>>>>>>>>>>>> link >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> doesn't work. I setup the database link to the Active >>>>>>>>>>>> >>>>>>>>>>>> >>>> Directory >>>> >>>> >>>>>>>> (and >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>> OpenLDAP). When I looked into Wireshark log, FDS send search >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>> request >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>> with controls: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> 2.16.840.1.113730.3.4.2 >>>>>>>>>>>>> 2.16.840.1.113730.3.4.12 >>>>>>>>>>>>> And the AD server responded: Unavailable Critical >>>>>>>>>>>>> >> Extension. >> >>>>>>>>>>>>> I tried to remove this two controls from Database Link >>>>>>>>>>>>> Settings >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>> (in >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>> administration console) but it didn't help. The server >>>>>>>>>>>> >> didn't >> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>> return >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>> the message above, but the administrative console show error >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>> dialog. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>> What error? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> I tried it again and the error message is exactly: >>>>>>>>>>> >>>>>>>>>>> Error fading object 'dn: dc=example, dc=com'. >>>>>>>>>>> The error send by the server was: >>>>>>>>>>> ". >>>>>>>>>>> >>>>>>>>>>> In the Whireshark log was still the search request witch >>>>>>>>>>> >>>>>>>>>>> >>>> control: >>>> >>>> >>>>>>>>>>> 2.16.840.1.113730.3.4.2 >>>>>>>>>>> >>>>>>>>>>> Why is this control needed by the server when I removed it >>>>>>>>>>> from >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> Database link settings? >>>>>>>>>> >>>>>>>>>> I'm not sure - maybe the console is not working correctly. Try >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>> this: >>>>>> >>>>>> >>>>>> >>>>>>>>>> 1) Shutdown the server >>>>>>>>>> 2) cd /etc/dirsrv/slapd-yourinstance >>>>>>>>>> 3) edit dse.ldif - look for the entry >>>>>>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config >>>>>>>>>> 4) edit the nsTransmittedControls attribute - remove >>>>>>>>>> 2.16.840.1.113730.3.4.2 >>>>>>>>>> 5) save and restart the server >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> I looked into dse.ldif for a nsTransmittedControls attribute. >>>>>>>>> There >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic >>>>>>>> 2.16.840.1.113730.3.4.2. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> Isn't the 2.16.840.1.113730.3.4.2 hardcoded? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> If it is, I don't see it. There is no mention of managedsa or >>>>>>>> 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code. >>>>>>>> The only place it is mentioned is in the default list of >>>>>>>> nsTransmittedControls in the template-dse.ldif used during new >>>>>>>> instance creation. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> Why is this so necessary? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> It's not necessary, and I'm not sure where it is coming from. >>>>>>>> Once place might be an internal operation, but I'm not sure what >>>>>>>> internal operation would be doing this. You might also try to >>>>>>>> remove nsActiveChainingComponents and >>>>>>>> nsPossibleChainingComponents to see >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> if >>>>>> >>>>>> >>>>>> >>>>>>>> one of those components is doing an internal operation with >>>>>>>> managedsait set. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> I removed nsActiveChainingComponents and >>>>>>> nsPossibleChainingComponents >>>>>>> >>>>>>> >>>>>>> >>>>>> and it didn't help. >>>>>> >>>>>> Then I'm not sure where it's coming from. I suppose you could >>>>>> enable tracing in the directory server and see if there is >>>>>> >> anything >> >>>>>> interesting in the error log - see >>>>>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>>>>> >>>>>> >>>>>> >>>>> In the attachment is the part of the server error log. I removed >>>>> >> all >> >>>>> messages before I click on the exclamation mark before the DN in >>>>> >> the >> >>>>> Fedora administration console -> Directory folder tab. I don't >>>>> understand this log. It is helpful for you? >>>>> >>>>> >>>>> >>>>> >>>> Ah, I see. You are using the console to try to browse the AD tree? >>>> And you are using the console admin user "admin"? Try ldapsearch >>>> >> from >> >>>> the command line, and attempt to authenticate as an AD user (e.g. >>>> cn=administrator,cn=users,dc=example,dc=com). >>>> >>>> >>> Yes, you are right. I use the console to browse AD tree. But I do >>> >> this because there is attention marker before the root suffix (lib- >> w2k3r2) in the Directory tab and I just double click on it. >> >>> I tried ldapsearch using AD user (Administrator). I'm able to login >>> >> but the ldapsearch don't show any results (I use Apache Directory >> Studio). When I looked into Whireshark log, I now see that another >> critical extension is missing: 2.16.840.1.113730.3.4.12. The log is in >> the attachment. >> >> Make sure 2.16.840.1.113730.3.4.12 is not in the transmitted controls. >> Set nsProxiedAuthorization to 0 - that should make it not use >> 2.16.840.1.113730.3.4.12 which is the proxyauth control. >> > > It works. Thank you very much! I can connect to the AD and list users and whatever I want. > I have one more difficulty. When I send ldapmodify to the node in the AD, FDS add to this request two more attributes (modifiersname, modifytimestamp). AD don't know these attributes and returns the error (errorMessage: 00000057: LdapErr: DSID-0C090A85, comment: Error in attribute conversion operation, data 0, vece). Is it possible to disable this functionality Yes. This is the nsslapd-lastmod attribute in cn=config - set this to 0 > or rewrite attributes name into AD attributes name (e.g. modifytimestamp -> whenChanged)? I cannot change AD schema. > No, it's not possible to map it. BTW, I would really appreciate it if you could write up something for the wiki about "using chaining to create an AD 'view'" - if you would rather just send me the info in an email, that would be fine too. > >>>>>>>>>>>>>> Michal Rejda wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I?m trying to setup proxy on FDS to another LDAP server >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>> (OpenLDAP >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>>>>> and Active Directory). I tried two ways, but none of >>>>>>>>>>>>>>> >> these >> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>> works: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>>>>> 1) New database link to LDAP server. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> - The remote LDAP server (OpenLDAP) returns: null. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>> manageDSAit >>>>>> >>>>>> >>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> control >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> value not found >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> You might have to tweak the controls used by chaining - >>>>>>>>>>>>>> >> see >> >>>>>>>>>>>>>> http://tinyurl.com/culeft >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2) Create multiple-master replication and setup other >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>> server >>>> >>>> >>>>>>>>>>>>>>> as >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> consumer. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> - But this show error: 255 Replication error acquiring >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>> replica: >>>>>> >>>>>> >>>>>> >>>>>>>>>>>>>>> unknown error. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> Replication will only work to a SunDS, not to any other >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>> vendor. >>>>>> >>>>>> >>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> My question is: Is there way how to setup proxy to access >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>> another >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>>>> LDAP >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> server from Fedora DS? I know that is possible to use AD >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>> sync, >>>>>> >>>>>> >>>>>> >>>>>>>>>> but >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> I >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>>>> cannot install anything on the AD server. The second >>>>>>>>>>>>>>> reason why >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>> I >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>>>> need >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> to setup proxy is to use data stored in LDAP server >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>> (OpenLDAP, >>>>>> >>>>>> >>>>>> >>>>>>>>>>>>>>> Open Direcoty Server and Active Directory) in one place. >>>>>>>>>>>>>>> >> I >> >>>>>>>>>>>>>>> need >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>> to >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> update >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>>>> them too. It is not necessary to synchronize passwords. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> See also >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration >> >>>>>>>> >>>>>>>> >>>>>>>>>>>>>>> Thank you for reply. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Michal >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> ------------------------------------------------------------------- >>>>> >> - >> >>>>> - >>>>> >>>>> >>>> - >>>> >>>> >>>>> -- >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>> --------------------------------------------------------------------- >>> >> - >> >>> -- >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090422/277ff373/attachment.bin
