Re: LDAP proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Michal Rejda wrote:
Michal Rejda wrote:
Michal Rejda wrote:

Michal Rejda wrote:


Michal Rejda wrote:



-----Original Message-----
From: fedora-directory-users-bounces@xxxxxxxxxx
[mailto:fedora-
directory-users-bounces@xxxxxxxxxx] On Behalf Of Rich
Megginson
Sent: Tuesday, April 14, 2009 4:25 PM
To: General discussion list for the Fedora Directory server


project.


Subject: Re:  LDAP proxy

Michal Rejda wrote:




I tried to use http://tinyurl.com/culeft. But the database
link




doesn't work. I setup the database link to the Active
Directory
(and


OpenLDAP). When I looked into Wireshark log, FDS send search


request


with controls:




	2.16.840.1.113730.3.4.2
	2.16.840.1.113730.3.4.12
And the AD server responded: Unavailable Critical Extension.

I tried to remove this two controls from Database Link
Settings


(in


administration console) but it didn't help. The server didn't


return


the message above, but the administrative console show error


dialog.


What error?




I tried it again and the error message is exactly:

Error fading object 'dn: dc=example, dc=com'.
The error send by the server was:
".

In the Whireshark log was still the search request witch
control:
	2.16.840.1.113730.3.4.2

Why is this control needed by the server when I removed it from



Database link settings?

I'm not sure - maybe the console is not working correctly. Try

this:

1) Shutdown the server
2) cd /etc/dirsrv/slapd-yourinstance
3) edit dse.ldif - look for the entry
dn: cn=config,cn=chaining database,cn=plugins,cn=config
4) edit the nsTransmittedControls attribute - remove
2.16.840.1.113730.3.4.2
5) save and restart the server



I looked into dse.ldif for a nsTransmittedControls attribute.
There


is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic
2.16.840.1.113730.3.4.2.


Isn't the 2.16.840.1.113730.3.4.2 hardcoded?


If it is, I don't see it. There is no mention of managedsa or
2.16.840.1.113730.3.4.2 anywhere in the chaining backend code. The
only place it is mentioned is in the default list of
nsTransmittedControls in the template-dse.ldif used during new
instance creation.


Why is this so necessary?



It's not necessary, and I'm not sure where it is coming from. Once
place might be an internal operation, but I'm not sure what
internal operation would be doing this. You might also try to
remove nsActiveChainingComponents and nsPossibleChainingComponents
to see

if

one of those components is doing an internal operation with
managedsait set.


I removed nsActiveChainingComponents and
nsPossibleChainingComponents

and it didn't  help.

Then I'm not sure where it's coming from. I suppose you could enable
tracing in the directory server and see if there is anything
interesting in the error log - see
http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting

In the attachment is the part of the server error log. I removed all
messages before I click on the exclamation mark before the DN in the
Fedora administration console -> Directory folder tab. I don't
understand this log. It is helpful for you?


Ah, I see. You are using the console to try to browse the AD tree? And
you are using the console admin user "admin"? Try ldapsearch from the
command line, and attempt to authenticate as an AD user (e.g.
cn=administrator,cn=users,dc=example,dc=com).

Yes, you are right. I use the console to browse AD tree. But I do this because there is attention marker before the root suffix (lib-w2k3r2) in the Directory tab and I just double click on it.
I tried ldapsearch using AD user (Administrator). I'm able to login but the ldapsearch don't show any results (I use Apache Directory Studio). When I looked into Whireshark log, I now see that another critical extension is missing: 2.16.840.1.113730.3.4.12. The log is in the attachment.
Make sure 2.16.840.1.113730.3.4.12 is not in the transmitted controls.
Set nsProxiedAuthorization to 0 - that should make it not use 2.16.840.1.113730.3.4.12 which is the proxyauth control.
Michal Rejda wrote:





Hi all,

I’m trying to setup proxy on FDS to another LDAP server


(OpenLDAP


and Active Directory). I tried two ways, but none of these


works:


1) New database link to LDAP server.

- The remote LDAP server (OpenLDAP) returns: null.

manageDSAit


control





value not found






You might have to tweak the controls used by chaining - see
http://tinyurl.com/culeft





2) Create multiple-master replication and setup other
server
as





consumer.





- But this show error: 255 Replication error acquiring

replica:

unknown error.






Replication will only work to a SunDS, not to any other

vendor.


My question is: Is there way how to setup proxy to access


another


LDAP





server from Fedora DS? I know that is possible to use AD

sync,

but



I




cannot install anything on the AD server. The second reason
why


I


need





to setup proxy is to use data stored in LDAP server

(OpenLDAP,

Open Direcoty Server and Active Directory) in one place. I
need



to



update




them too. It is not necessary to synchronize passwords.






See also



http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration


Thank you for reply.

Regards,

Michal





--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


---------------------------------------------------------------------
-
--

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


------------------------------------------------------------------------

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


<<attachment: smime.p7s>>

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux