Giovanni Mancuso wrote: > Hi, > > i try to configure 2 Directory Server with db link. > > I have first DS that point to second DS that have DB in filesystem. > > I create a proxy user in second DS: > > # tproxy, config > dn: uid=tproxy,cn=config > uid: tproxy > givenName: test > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > sn: proxy > cn: test proxy > userPassword:: ********************************************* > > and i create in first DS the "Dababase link" that use this user to > bind in second DS. > > In second DS i add the following aci: What entry did you add this aci to? > > (targetattr = "*") (target = "ldap:///dc=example,dc=com";) (version > 3.0;acl "AciChepermettetutto";allow (all)(userdn = > "ldap:///uid=tproxy,cn=config";);) you should not need this aci > > (targetattr = "*") (target = "ldap:///dc=example,dc=com";) (version > 3.0;acl "proxy acl";allow (proxy)(userdn = > "ldap:///uid=tproxy,cn=config";);) This is the correct aci > > Bu if i try to execute the ldapserach in first directory server i have > the following error: proxy does not currently work with directory manager. Directory manager is considered a "local" user to each directory server. Try a different user. > > dapsearch -h localhost -x -p 20389 -D "cn=Directory Manager" -w > ********* -b "dc=example,dc=com" "(objectclass=*)" > # extended LDIF > # > # LDAPv3 > # base <dc=example,dc=com> with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # search result > search: 2 > result: 53 Server is unwilling to perform > text: Proxy dn should not be rootdn > > # numResponses: 1 > > If i enable verbose logging in my error log i have: > > [15/Jul/2009:18:44:47 +0200] - activity on 65r > [15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit() > conn=0xb1557d68, handle=3 > [15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [15/Jul/2009:18:44:47 +0200] - read activity on > 65 > [15/Jul/2009:18:44:47 +0200] - > add_pb > [15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit() > conn=0xb1557c08, handle=3 > [15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [15/Jul/2009:18:44:47 +0200] - > get_pb > [15/Jul/2009:18:44:47 +0200] - conn 1 activity level = > 2 > [15/Jul/2009:18:44:47 +0200] - conn 1 turbo rank = 2 out of 3 > conns > [15/Jul/2009:18:44:47 +0200] - > do_search > [15/Jul/2009:18:44:47 +0200] - => > get_filter_internal > [15/Jul/2009:18:44:47 +0200] - > PRESENT > [15/Jul/2009:18:44:47 +0200] - <= get_filter_internal > 0 > [15/Jul/2009:18:44:47 +0200] get_filter - before optimize: > (objectClass=*) > [15/Jul/2009:18:44:47 +0200] get_filter - after optimize: > (objectClass=*) > [15/Jul/2009:18:44:47 +0200] - SRCH base="dc=example,dc=com" scope=2 > deref=0 sizelimit=0 timelimit=0 attrsonly=0 filter="(objectClass=*)" > attrs=ALL > [15/Jul/2009:18:44:47 +0200] - => > get_ldapmessage_controls > > [15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for > 2.16.840.1.113730.3.4.2) > > [15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND) > [15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for > 1.3.6.1.4.1.42.2.27.8.5.1) > [15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND) > [15/Jul/2009:18:44:48 +0200] - <= get_ldapmessage_controls 2 controls > [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for > 2.16.840.1.113730.3.4.3) > [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) > [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for > 2.16.840.1.113730.3.4.20) > [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) > [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for > 2.16.840.1.113730.3.4.14) > [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) > [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for > 1.3.6.1.4.1.42.2.27.9.5.2) > [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) > [15/Jul/2009:18:44:48 +0200] - mapping tree selected backend : example > [15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit() > conn=0xb1557cb8, handle=2 > [15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit() > conn=0xb1557cb8, handle=1 > [15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [15/Jul/2009:18:44:48 +0200] - => compute_limits: sizelimit=2000, > timelimit=3600 > [15/Jul/2009:18:44:48 +0200] - Calling plugin 'ACL preoperation' #1 > type 403 > [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for > 2.16.840.1.113730.3.4.12) > [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 1 (FOUND) > [15/Jul/2009:18:44:48 +0200] - => send_ldap_result 53::Proxy dn should > not be rootdn > [15/Jul/2009:18:44:48 +0200] - flush_ber() wrote 43 bytes to socket 65 > [15/Jul/2009:18:44:48 +0200] - <= send_ldap_result > [15/Jul/2009:18:44:48 +0200] - mapping tree release backend : example > [15/Jul/2009:18:44:48 +0200] - slapi_filter_free type 0x87 > [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() > conn=0xb1557d68, handle=3 > [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() > conn=0xb1557cb8, handle=3 > [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() > conn=0xb1557c08, handle=3 > [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [15/Jul/2009:18:44:49 +0200] - listener got signaled > [15/Jul/2009:18:44:53 +0200] - Event id a19b958 called at 1247676293 > (scheduled for 1247676293) > [15/Jul/2009:18:44:55 +0200] - ldbm backend flushing > [15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing > [15/Jul/2009:18:44:55 +0200] - ldbm backend flushing > [15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing > > The problem seems the "ACL preoperation" plugin. Indeed if i disable > this plugin, it WORKS. > But i cannot disable this plugin. > > Any ideas to solve the problem?? > > Thanks and sorry in advance for my bad English > // > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090715/10e29b3d/attachment.bin
