> Michal Rejda wrote: > >> Michal Rejda wrote: > >> > >>>> Michal Rejda wrote: > >>>> > >>>> > >>>>>> Michal Rejda wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>>>> Michal Rejda wrote: > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>> Michal Rejda wrote: > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>>> -----Original Message----- > >>>>>>>>>>>> From: fedora-directory-users-bounces@xxxxxxxxxx > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>> [mailto:fedora- > >>>> > >>>> > >>>>>>>>>>>> directory-users-bounces@xxxxxxxxxx] On Behalf Of Rich > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>> Megginson > >>>> > >>>> > >>>>>>>>>>>> Sent: Tuesday, April 14, 2009 4:25 PM > >>>>>>>>>>>> To: General discussion list for the Fedora Directory > server > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>> project. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>> Subject: Re: LDAP proxy > >>>>>>>>>>>> > >>>>>>>>>>>> Michal Rejda wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>> I tried to use http://tinyurl.com/culeft. But the > database > >>>>>>>>>>>>> link > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> doesn't work. I setup the database link to the Active > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>> Directory > >>>> > >>>> > >>>>>>>> (and > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>> OpenLDAP). When I looked into Wireshark log, FDS send > >>>>>>>>>>>> search > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>> request > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>> with controls: > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>> 2.16.840.1.113730.3.4.2 > >>>>>>>>>>>>> 2.16.840.1.113730.3.4.12 > >>>>>>>>>>>>> And the AD server responded: Unavailable Critical > >>>>>>>>>>>>> > >> Extension. > >> > >>>>>>>>>>>>> I tried to remove this two controls from Database Link > >>>>>>>>>>>>> Settings > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>> (in > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>> administration console) but it didn't help. The server > >>>>>>>>>>>> > >> didn't > >> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>> return > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>> the message above, but the administrative console show > >>>>>>>>>>>> error > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>> dialog. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>> What error? > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>> I tried it again and the error message is exactly: > >>>>>>>>>>> > >>>>>>>>>>> Error fading object 'dn: dc=example, dc=com'. > >>>>>>>>>>> The error send by the server was: > >>>>>>>>>>> ". > >>>>>>>>>>> > >>>>>>>>>>> In the Whireshark log was still the search request witch > >>>>>>>>>>> > >>>>>>>>>>> > >>>> control: > >>>> > >>>> > >>>>>>>>>>> 2.16.840.1.113730.3.4.2 > >>>>>>>>>>> > >>>>>>>>>>> Why is this control needed by the server when I removed it > >>>>>>>>>>> from > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> Database link settings? > >>>>>>>>>> > >>>>>>>>>> I'm not sure - maybe the console is not working correctly. > >>>>>>>>>> Try > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>> this: > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>> 1) Shutdown the server > >>>>>>>>>> 2) cd /etc/dirsrv/slapd-yourinstance > >>>>>>>>>> 3) edit dse.ldif - look for the entry > >>>>>>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config > >>>>>>>>>> 4) edit the nsTransmittedControls attribute - remove > >>>>>>>>>> 2.16.840.1.113730.3.4.2 > >>>>>>>>>> 5) save and restart the server > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> I looked into dse.ldif for a nsTransmittedControls attribute. > >>>>>>>>> There > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic > >>>>>>>> 2.16.840.1.113730.3.4.2. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> Isn't the 2.16.840.1.113730.3.4.2 hardcoded? > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> If it is, I don't see it. There is no mention of managedsa or > >>>>>>>> 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code. > >>>>>>>> The only place it is mentioned is in the default list of > >>>>>>>> nsTransmittedControls in the template-dse.ldif used during new > >>>>>>>> instance creation. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> Why is this so necessary? > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> It's not necessary, and I'm not sure where it is coming from. > >>>>>>>> Once place might be an internal operation, but I'm not sure > >>>>>>>> what internal operation would be doing this. You might also > try > >>>>>>>> to remove nsActiveChainingComponents and > >>>>>>>> nsPossibleChainingComponents to see > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>> if > >>>>>> > >>>>>> > >>>>>> > >>>>>>>> one of those components is doing an internal operation with > >>>>>>>> managedsait set. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> I removed nsActiveChainingComponents and > >>>>>>> nsPossibleChainingComponents > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> and it didn't help. > >>>>>> > >>>>>> Then I'm not sure where it's coming from. I suppose you could > >>>>>> enable tracing in the directory server and see if there is > >>>>>> > >> anything > >> > >>>>>> interesting in the error log - see > >>>>>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > >>>>>> > >>>>>> > >>>>>> > >>>>> In the attachment is the part of the server error log. I removed > >>>>> > >> all > >> > >>>>> messages before I click on the exclamation mark before the DN in > >>>>> > >> the > >> > >>>>> Fedora administration console -> Directory folder tab. I don't > >>>>> understand this log. It is helpful for you? > >>>>> > >>>>> > >>>>> > >>>>> > >>>> Ah, I see. You are using the console to try to browse the AD tree? > >>>> And you are using the console admin user "admin"? Try ldapsearch > >>>> > >> from > >> > >>>> the command line, and attempt to authenticate as an AD user (e.g. > >>>> cn=administrator,cn=users,dc=example,dc=com). > >>>> > >>>> > >>> Yes, you are right. I use the console to browse AD tree. But I do > >>> > >> this because there is attention marker before the root suffix (lib- > >> w2k3r2) in the Directory tab and I just double click on it. > >> > >>> I tried ldapsearch using AD user (Administrator). I'm able to login > >>> > >> but the ldapsearch don't show any results (I use Apache Directory > >> Studio). When I looked into Whireshark log, I now see that another > >> critical extension is missing: 2.16.840.1.113730.3.4.12. The log is > >> in the attachment. > >> > >> Make sure 2.16.840.1.113730.3.4.12 is not in the transmitted > controls. > >> Set nsProxiedAuthorization to 0 - that should make it not use > >> 2.16.840.1.113730.3.4.12 which is the proxyauth control. > >> > > > > It works. Thank you very much! I can connect to the AD and list users > and whatever I want. > > I have one more difficulty. When I send ldapmodify to the node in the > > AD, FDS add to this request two more attributes (modifiersname, > > modifytimestamp). AD don't know these attributes and returns the > error > > (errorMessage: 00000057: LdapErr: DSID-0C090A85, comment: Error in > > attribute conversion operation, data 0, vece). Is it possible to > > disable this functionality > Yes. This is the nsslapd-lastmod attribute in cn=config - set this to 0 > > or rewrite attributes name into AD attributes name (e.g. > modifytimestamp -> whenChanged)? I cannot change AD schema. > > > No, it's not possible to map it. Perhaps one of last questions on LDAP proxy :-) Is there a way how to setup permissions to list/searching AD using chaining? I'm looking into administration guide and if I see it well, I have to setup ACI on the AD. But AD does not have ACI attributes. I tried to add ACI on the cn=link-ads,cn=chaining database,cn=plugins,cn=config but it didn't help. > > BTW, I would really appreciate it if you could write up something for > the wiki about "using chaining to create an AD 'view'" - if you would > rather just send me the info in an email, that would be fine too. > > > >>>>>>>>>>>>>> Michal Rejda wrote: > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Hi all, > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> I?m trying to setup proxy on FDS to another LDAP server > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>> (OpenLDAP > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>>>>> and Active Directory). I tried two ways, but none of > >>>>>>>>>>>>>>> > >> these > >> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>> works: > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>>>>> 1) New database link to LDAP server. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> - The remote LDAP server (OpenLDAP) returns: null. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>> manageDSAit > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> control > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> value not found > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> You might have to tweak the controls used by chaining - > >>>>>>>>>>>>>> > >> see > >> > >>>>>>>>>>>>>> http://tinyurl.com/culeft > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 2) Create multiple-master replication and setup other > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>> server > >>>> > >>>> > >>>>>>>>>>>>>>> as > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> consumer. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> - But this show error: 255 Replication error acquiring > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>> replica: > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>>>>>>> unknown error. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> Replication will only work to a SunDS, not to any other > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>> vendor. > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> My question is: Is there way how to setup proxy to > >>>>>>>>>>>>>>> access > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>> another > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>>>> LDAP > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> server from Fedora DS? I know that is possible to use > AD > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>> sync, > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>> but > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>>> I > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>>>> cannot install anything on the AD server. The second > >>>>>>>>>>>>>>> reason why > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>> I > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>>>> need > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> to setup proxy is to use data stored in LDAP server > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>> (OpenLDAP, > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>>>>>>> Open Direcoty Server and Active Directory) in one > place. > >>>>>>>>>>>>>>> > >> I > >> > >>>>>>>>>>>>>>> need > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>> to > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>>> update > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>>>> them too. It is not necessary to synchronize passwords. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> See also > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration > >> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>>>>> Thank you for reply. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Regards, > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Michal > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>> -- > >>>>>>>>> Fedora-directory-users mailing list > >>>>>>>>> Fedora-directory-users@xxxxxxxxxx > >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory- > users > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>> -- > >>>>>>> Fedora-directory-users mailing list > >>>>>>> Fedora-directory-users@xxxxxxxxxx > >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>> ----------------------------------------------------------------- > - > >>>>> - > >>>>> > >> - > >> > >>>>> - > >>>>> > >>>>> > >>>> - > >>>> > >>>> > >>>>> -- > >>>>> > >>>>> -- > >>>>> Fedora-directory-users mailing list > >>>>> Fedora-directory-users@xxxxxxxxxx > >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>> > >>>>> > >>>>> > >>> ------------------------------------------------------------------- > - > >>> - > >>> > >> - > >> > >>> -- > >>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users@xxxxxxxxxx > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >>> > > > > > > --------------------------------------------------------------------- > - > > -- > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@xxxxxxxxxx > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
