Michal Rejda wrote:
Michal Rejda wrote:Michal Rejda wrote:Michal Rejda wrote:Michal Rejda wrote:-----Original Message----- From: fedora-directory-users-bounces@xxxxxxxxxx[mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of RichMegginsonSent: Tuesday, April 14, 2009 4:25 PM To: General discussion list for the Fedora Directory serverproject.Subject: Re: LDAP proxy Michal Rejda wrote:I tried to use http://tinyurl.com/culeft. But the database linkdoesn't work. I setup the database link to the ActiveDirectory(andOpenLDAP). When I looked into Wireshark log, FDS send searchrequestwith controls:2.16.840.1.113730.3.4.2 2.16.840.1.113730.3.4.12 And the AD server responded: Unavailable Critical Extension. I tried to remove this two controls from Database Link Settings(inadministration console) but it didn't help. The server didn'treturnthe message above, but the administrative console show errordialog.What error?I tried it again and the error message is exactly: Error fading object 'dn: dc=example, dc=com'. The error send by the server was: ". In the Whireshark log was still the search request witchcontrol:2.16.840.1.113730.3.4.2 Why is this control needed by the server when I removed it fromDatabase link settings? I'm not sure - maybe the console is not working correctly. Trythis:1) Shutdown the server 2) cd /etc/dirsrv/slapd-yourinstance 3) edit dse.ldif - look for the entry dn: cn=config,cn=chaining database,cn=plugins,cn=config 4) edit the nsTransmittedControls attribute - remove 2.16.840.1.113730.3.4.2 5) save and restart the serverI looked into dse.ldif for a nsTransmittedControls attribute. Thereis only the 1.3.6.1.4.1.1466.29539.12. , not the problematic 2.16.840.1.113730.3.4.2.Isn't the 2.16.840.1.113730.3.4.2 hardcoded?If it is, I don't see it. There is no mention of managedsa or 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code. The only place it is mentioned is in the default list of nsTransmittedControls in the template-dse.ldif used during new instance creation.Why is this so necessary?It's not necessary, and I'm not sure where it is coming from. Once place might be an internal operation, but I'm not sure what internal operation would be doing this. You might also try to remove nsActiveChainingComponents and nsPossibleChainingComponents to seeifone of those components is doing an internal operation with managedsait set.I removed nsActiveChainingComponents and nsPossibleChainingComponentsand it didn't help. Then I'm not sure where it's coming from. I suppose you could enable tracing in the directory server and see if there is anything interesting in the error log - see http://directory.fedoraproject.org/wiki/FAQ#TroubleshootingIn the attachment is the part of the server error log. I removed all messages before I click on the exclamation mark before the DN in the Fedora administration console -> Directory folder tab. I don't understand this log. It is helpful for you?Ah, I see. You are using the console to try to browse the AD tree? And you are using the console admin user "admin"? Try ldapsearch from the command line, and attempt to authenticate as an AD user (e.g. cn=administrator,cn=users,dc=example,dc=com).Yes, you are right. I use the console to browse AD tree. But I do this because there is attention marker before the root suffix (lib-w2k3r2) in the Directory tab and I just double click on it. I tried ldapsearch using AD user (Administrator). I'm able to login but the ldapsearch don't show any results (I use Apache Directory Studio). When I looked into Whireshark log, I now see that another critical extension is missing: 2.16.840.1.113730.3.4.12. The log is in the attachment.
Make sure 2.16.840.1.113730.3.4.12 is not in the transmitted controls.Set nsProxiedAuthorization to 0 - that should make it not use 2.16.840.1.113730.3.4.12 which is the proxyauth control.
Michal Rejda wrote:Hi all, I’m trying to setup proxy on FDS to another LDAP server(OpenLDAPand Active Directory). I tried two ways, but none of theseworks:1) New database link to LDAP server. - The remote LDAP server (OpenLDAP) returns: null.manageDSAitcontrolvalue not foundYou might have to tweak the controls used by chaining - see http://tinyurl.com/culeft2) Create multiple-master replication and setup otherserverasconsumer.- But this show error: 255 Replication error acquiringreplica:unknown error.Replication will only work to a SunDS, not to any othervendor.My question is: Is there way how to setup proxy to accessanotherLDAPserver from Fedora DS? I know that is possible to use ADsync,butIcannot install anything on the AD server. The second reason whyIneedto setup proxy is to use data stored in LDAP server(OpenLDAP,Open Direcoty Server and Active Directory) in one place. I needtoupdatethem too. It is not necessary to synchronize passwords.See alsohttp://directory.fedoraproject.org/wiki/Howto:OpenldapIntegrationThank you for reply. Regards, Michal-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users------------------------------------------------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users-------------------------------------------------------------------------- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
