Rich Megginson wrote: > Giovanni Mancuso wrote: >> Hi, >> >> i try to configure 2 Directory Server with db link. >> >> I have first DS that point to second DS that have DB in filesystem. >> >> I create a proxy user in second DS: >> >> # tproxy, config >> dn: uid=tproxy,cn=config >> uid: tproxy >> givenName: test >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: inetorgperson >> sn: proxy >> cn: test proxy >> userPassword:: ********************************************* >> >> and i create in first DS the "Dababase link" that use this user to >> bind in second DS. >> >> In second DS i add the following aci: > What entry did you add this aci to? I add the aci in root suffix (dc=example,dc=com) >> >> (targetattr = "*") (target = "ldap:///dc=example,dc=com";) (version >> 3.0;acl "AciChepermettetutto";allow (all)(userdn = >> "ldap:///uid=tproxy,cn=config";);) > you should not need this aci Ok i delete this aci. > >> >> (targetattr = "*") (target = "ldap:///dc=example,dc=com";) (version >> 3.0;acl "proxy acl";allow (proxy)(userdn = >> "ldap:///uid=tproxy,cn=config";);) > This is the correct aci >> >> Bu if i try to execute the ldapserach in first directory server i >> have the following error: > proxy does not currently work with directory manager. Directory > manager is considered a "local" user to each directory server. Try a > different user. Now, i create a new user in first DS: dn: uid=ttestuser,cn=config uid: testuser givenName: test objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: user cn: test user userPassword: ********* And if i try, to run ldapsearch with this user it works: ldapsearch -LLL -s base -h localhost -x -p 20389 -D "uid=ttestuser,cn=config" -w ********* -b "dc=example,dc=com" "(objectclass=*)" dn: dc=example,dc=com dc: example objectClass: top objectClass: domain The problem now is if i try to execute add in first directory server. I create the following ldif: cat /tmp/tempuser.ldif dn: uid=conaltroustente,node=testgio,dc=example,dc=com uid: conaltroustente givenName: conaltroustente objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: dsdsds cn: pippopidddssd dsdsds And i try to run: ldapmodify -a -h localhost -x -p 20389 -D "uid=ttestuser,cn=config" -w *********** -f /tmp/tempuser.ldif adding new entry "uid=conaltroustente,node=testgio,dc=example,dc=com" ldap_add: Insufficient access (50) additional info: Insufficient 'add' privilege to add the entry 'uid=conaltroustente,node=testgio,dc=example,dc=com'. Any ideas?? >> >> dapsearch -h localhost -x -p 20389 -D "cn=Directory Manager" -w >> ********* -b "dc=example,dc=com" "(objectclass=*)" >> # extended LDIF >> # >> # LDAPv3 >> # base <dc=example,dc=com> with scope subtree >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # search result >> search: 2 >> result: 53 Server is unwilling to perform >> text: Proxy dn should not be rootdn >> >> # numResponses: 1 >> >> If i enable verbose logging in my error log i have: >> >> [15/Jul/2009:18:44:47 +0200] - activity on 65r >> [15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit() >> conn=0xb1557d68, handle=3 >> [15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit() >> returning NO VALUE [15/Jul/2009:18:44:47 +0200] - read activity >> on 65 [15/Jul/2009:18:44:47 >> +0200] - >> add_pb >> [15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit() >> conn=0xb1557c08, handle=3 >> [15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit() >> returning NO VALUE [15/Jul/2009:18:44:47 +0200] - >> get_pb >> [15/Jul/2009:18:44:47 +0200] - conn 1 activity level = >> 2 [15/Jul/2009:18:44:47 +0200] - >> conn 1 turbo rank = 2 out of 3 conns >> [15/Jul/2009:18:44:47 +0200] - >> do_search >> [15/Jul/2009:18:44:47 +0200] - => >> get_filter_internal >> [15/Jul/2009:18:44:47 +0200] - >> PRESENT >> [15/Jul/2009:18:44:47 +0200] - <= get_filter_internal >> 0 [15/Jul/2009:18:44:47 +0200] >> get_filter - before optimize: (objectClass=*) >> [15/Jul/2009:18:44:47 +0200] get_filter - after optimize: >> (objectClass=*) [15/Jul/2009:18:44:47 +0200] - SRCH >> base="dc=example,dc=com" scope=2 deref=0 sizelimit=0 timelimit=0 >> attrsonly=0 filter="(objectClass=*)" attrs=ALL >> [15/Jul/2009:18:44:47 +0200] - => >> get_ldapmessage_controls >> >> [15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for >> 2.16.840.1.113730.3.4.2) >> >> [15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND) >> [15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for >> 1.3.6.1.4.1.42.2.27.8.5.1) >> [15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND) >> [15/Jul/2009:18:44:48 +0200] - <= get_ldapmessage_controls 2 controls >> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for >> 2.16.840.1.113730.3.4.3) >> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) >> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for >> 2.16.840.1.113730.3.4.20) >> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) >> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for >> 2.16.840.1.113730.3.4.14) >> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) >> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for >> 1.3.6.1.4.1.42.2.27.9.5.2) >> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) >> [15/Jul/2009:18:44:48 +0200] - mapping tree selected backend : example >> [15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit() >> conn=0xb1557cb8, handle=2 >> [15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit() >> returning NO VALUE >> [15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit() >> conn=0xb1557cb8, handle=1 >> [15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit() >> returning NO VALUE >> [15/Jul/2009:18:44:48 +0200] - => compute_limits: sizelimit=2000, >> timelimit=3600 >> [15/Jul/2009:18:44:48 +0200] - Calling plugin 'ACL preoperation' #1 >> type 403 >> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for >> 2.16.840.1.113730.3.4.12) >> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 1 (FOUND) >> [15/Jul/2009:18:44:48 +0200] - => send_ldap_result 53::Proxy dn >> should not be rootdn >> [15/Jul/2009:18:44:48 +0200] - flush_ber() wrote 43 bytes to socket 65 >> [15/Jul/2009:18:44:48 +0200] - <= send_ldap_result >> [15/Jul/2009:18:44:48 +0200] - mapping tree release backend : example >> [15/Jul/2009:18:44:48 +0200] - slapi_filter_free type 0x87 >> [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() >> conn=0xb1557d68, handle=3 >> [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() >> returning NO VALUE >> [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() >> conn=0xb1557cb8, handle=3 >> [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() >> returning NO VALUE >> [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() >> conn=0xb1557c08, handle=3 >> [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() >> returning NO VALUE >> [15/Jul/2009:18:44:49 +0200] - listener got signaled >> [15/Jul/2009:18:44:53 +0200] - Event id a19b958 called at 1247676293 >> (scheduled for 1247676293) >> [15/Jul/2009:18:44:55 +0200] - ldbm backend flushing >> [15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing >> [15/Jul/2009:18:44:55 +0200] - ldbm backend flushing >> [15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing >> >> The problem seems the "ACL preoperation" plugin. Indeed if i disable >> this plugin, it WORKS. >> But i cannot disable this plugin. >> >> Any ideas to solve the problem?? >> >> Thanks and sorry in advance for my bad English >> // >> >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20090716/a3ec183a/attachment.html
