Michal Rejda wrote:
Right. AD access control is completely different, and Fedora DS is not smart enough to translate its acis into AD access control.Michal Rejda wrote:Michal Rejda wrote:Michal Rejda wrote:Michal Rejda wrote:Michal Rejda wrote:Michal Rejda wrote:-----Original Message----- From: fedora-directory-users-bounces@xxxxxxxxxx[mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of RichMegginsonSent: Tuesday, April 14, 2009 4:25 PM To: General discussion list for the Fedora Directoryserverproject.Subject: Re: LDAP proxy Michal Rejda wrote:I tried to use http://tinyurl.com/culeft. But thedatabaselinkdoesn't work. I setup the database link to the ActiveDirectory(andOpenLDAP). When I looked into Wireshark log, FDS send searchrequestwith controls:2.16.840.1.113730.3.4.2 2.16.840.1.113730.3.4.12 And the AD server responded: Unavailable CriticalExtension.I tried to remove this two controls from Database Link Settings(inadministration console) but it didn't help. The serverdidn'treturnthe message above, but the administrative console show errordialog.What error?I tried it again and the error message is exactly: Error fading object 'dn: dc=example, dc=com'. The error send by the server was: ". In the Whireshark log was still the search request witchcontrol:2.16.840.1.113730.3.4.2 Why is this control needed by the server when I removed it fromDatabase link settings? I'm not sure - maybe the console is not working correctly. Trythis:1) Shutdown the server 2) cd /etc/dirsrv/slapd-yourinstance 3) edit dse.ldif - look for the entry dn: cn=config,cn=chaining database,cn=plugins,cn=config 4) edit the nsTransmittedControls attribute - remove 2.16.840.1.113730.3.4.2 5) save and restart the serverI looked into dse.ldif for a nsTransmittedControls attribute. Thereis only the 1.3.6.1.4.1.1466.29539.12. , not the problematic 2.16.840.1.113730.3.4.2.Isn't the 2.16.840.1.113730.3.4.2 hardcoded?If it is, I don't see it. There is no mention of managedsa or 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code. The only place it is mentioned is in the default list of nsTransmittedControls in the template-dse.ldif used during new instance creation.Why is this so necessary?It's not necessary, and I'm not sure where it is coming from. Once place might be an internal operation, but I'm not sure what internal operation would be doing this. You might alsotryto remove nsActiveChainingComponents and nsPossibleChainingComponents to seeifone of those components is doing an internal operation with managedsait set.I removed nsActiveChainingComponents and nsPossibleChainingComponentsand it didn't help. Then I'm not sure where it's coming from. I suppose you could enable tracing in the directory server and see if there isanythinginteresting in the error log - see http://directory.fedoraproject.org/wiki/FAQ#TroubleshootingIn the attachment is the part of the server error log. I removedallmessages before I click on the exclamation mark before the DN intheFedora administration console -> Directory folder tab. I don't understand this log. It is helpful for you?Ah, I see. You are using the console to try to browse the AD tree? And you are using the console admin user "admin"? Try ldapsearchfromthe command line, and attempt to authenticate as an AD user (e.g. cn=administrator,cn=users,dc=example,dc=com).Yes, you are right. I use the console to browse AD tree. But I dothis because there is attention marker before the root suffix (lib- w2k3r2) in the Directory tab and I just double click on it.I tried ldapsearch using AD user (Administrator). I'm able to loginbut the ldapsearch don't show any results (I use Apache Directory Studio). When I looked into Whireshark log, I now see that another critical extension is missing: 2.16.840.1.113730.3.4.12. The log is in the attachment. Make sure 2.16.840.1.113730.3.4.12 is not in the transmittedcontrols.Set nsProxiedAuthorization to 0 - that should make it not use 2.16.840.1.113730.3.4.12 which is the proxyauth control.It works. Thank you very much! I can connect to the AD and list usersand whatever I want.I have one more difficulty. When I send ldapmodify to the node in the AD, FDS add to this request two more attributes (modifiersname, modifytimestamp). AD don't know these attributes and returns theerror(errorMessage: 00000057: LdapErr: DSID-0C090A85, comment: Error in attribute conversion operation, data 0, vece). Is it possible to disable this functionalityYes. This is the nsslapd-lastmod attribute in cn=config - set this to 0or rewrite attributes name into AD attributes name (e.g.modifytimestamp -> whenChanged)? I cannot change AD schema.No, it's not possible to map it.Perhaps one of last questions on LDAP proxy :-) Is there a way how to setup permissions to list/searching AD using chaining? I'm looking into administration guide and if I see it well, I have to setup ACI on the AD. But AD does not have ACI attributes. I tried to add ACI on the cn=link-ads,cn=chaining database,cn=plugins,cn=config but it didn't help.
If you have a real local suffix as the parent of your AD suffix, you could set acis in that suffix.
BTW, I would really appreciate it if you could write up something for the wiki about "using chaining to create an AD 'view'" - if you would rather just send me the info in an email, that would be fine too.Michal Rejda wrote:Hi all, I’m trying to setup proxy on FDS to another LDAP server(OpenLDAPand Active Directory). I tried two ways, but none oftheseworks:1) New database link to LDAP server. - The remote LDAP server (OpenLDAP) returns: null.manageDSAitcontrolvalue not foundYou might have to tweak the controls used by chaining -seehttp://tinyurl.com/culeft2) Create multiple-master replication and setup otherserverasconsumer.- But this show error: 255 Replication error acquiringreplica:unknown error.Replication will only work to a SunDS, not to any othervendor.My question is: Is there way how to setup proxy to accessanotherLDAPserver from Fedora DS? I know that is possible to useADsync,butIcannot install anything on the AD server. The second reason whyIneedto setup proxy is to use data stored in LDAP server(OpenLDAP,Open Direcoty Server and Active Directory) in oneplace.Ineedtoupdatethem too. It is not necessary to synchronize passwords.See alsohttp://directory.fedoraproject.org/wiki/Howto:OpenldapIntegrationThank you for reply. Regards, Michal-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users------------------------------------------------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users------------------------------------------------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users------------------------------------------------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
