Re: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem

Rich Megginson <rmeggins@xxxxxxxxxx> · Wed, 15 Jul 2009 11:02:37 -0600

Giovanni Mancuso wrote:
Hi,

i try to configure 2 Directory Server with db link.

I have first DS that point to second DS that have DB in filesystem.

I create a proxy user in second DS:

# tproxy, config
dn: uid=tproxy,cn=config
uid: tproxy
givenName: test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: proxy
cn: test proxy
userPassword:: *********************************************

and i create in first DS the "Dababase link" that use this user to 
bind in second DS.

In second DS i add the following aci:
What entry did you add this aci to?

(targetattr = "*") (target = "ldap:///dc=example,dc=com";) (version 
3.0;acl "AciChepermettetutto";allow (all)(userdn = 
"ldap:///uid=tproxy,cn=config";);)
you should not need this aci

(targetattr = "*") (target = "ldap:///dc=example,dc=com";) (version 
3.0;acl "proxy acl";allow (proxy)(userdn = 
"ldap:///uid=tproxy,cn=config";);)
This is the correct aci

Bu if i try to execute the ldapserach in first directory server i have 
the following error:
proxy does not currently work with directory manager.  Directory manager 
is considered a "local" user to each directory server.  Try a different 
user.

dapsearch -h localhost -x -p 20389 -D "cn=Directory Manager" -w 
********* -b "dc=example,dc=com" "(objectclass=*)"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 53 Server is unwilling to perform
text: Proxy dn should not be rootdn

# numResponses: 1

If i enable verbose logging in my error log i have:

[15/Jul/2009:18:44:47 +0200] - activity on 65r
[15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit() 
conn=0xb1557d68, handle=3
[15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit() 
returning NO VALUE      
[15/Jul/2009:18:44:47 +0200] - read activity on 
65                                           
[15/Jul/2009:18:44:47 +0200] - 
add_pb                                                        
[15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit() 
conn=0xb1557c08, handle=3
[15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit() 
returning NO VALUE      
[15/Jul/2009:18:44:47 +0200] - 
get_pb                                                        
[15/Jul/2009:18:44:47 +0200] - conn 1 activity level = 
2                                     
[15/Jul/2009:18:44:47 +0200] - conn 1 turbo rank = 2 out of 3 
conns                          
[15/Jul/2009:18:44:47 +0200] - 
do_search                                                     
[15/Jul/2009:18:44:47 +0200] - => 
get_filter_internal                                        
[15/Jul/2009:18:44:47 +0200] - 
PRESENT                                                       
[15/Jul/2009:18:44:47 +0200] - <= get_filter_internal 
0                                      
[15/Jul/2009:18:44:47 +0200] get_filter - before optimize: 
(objectClass=*)                   
[15/Jul/2009:18:44:47 +0200] get_filter -  after optimize: 
(objectClass=*)                   
[15/Jul/2009:18:44:47 +0200] - SRCH base="dc=example,dc=com" scope=2 
deref=0 sizelimit=0 timelimit=0 attrsonly=0 filter="(objectClass=*)" 
attrs=ALL
[15/Jul/2009:18:44:47 +0200] - => 
get_ldapmessage_controls                                                                                         

[15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for 
2.16.840.1.113730.3.4.2)                                                      

[15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND)
[15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for 
1.3.6.1.4.1.42.2.27.8.5.1)
[15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND)
[15/Jul/2009:18:44:48 +0200] - <= get_ldapmessage_controls 2 controls
[15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 
2.16.840.1.113730.3.4.3)
[15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
[15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 
2.16.840.1.113730.3.4.20)
[15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
[15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 
2.16.840.1.113730.3.4.14)
[15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
[15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 
1.3.6.1.4.1.42.2.27.9.5.2)
[15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
[15/Jul/2009:18:44:48 +0200] - mapping tree selected backend : example
[15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit() 
conn=0xb1557cb8, handle=2
[15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit() 
returning NO VALUE
[15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit() 
conn=0xb1557cb8, handle=1
[15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit() 
returning NO VALUE
[15/Jul/2009:18:44:48 +0200] - => compute_limits: sizelimit=2000, 
timelimit=3600
[15/Jul/2009:18:44:48 +0200] - Calling plugin 'ACL preoperation' #1 
type 403
[15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 
2.16.840.1.113730.3.4.12)
[15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 1 (FOUND)
[15/Jul/2009:18:44:48 +0200] - => send_ldap_result 53::Proxy dn should 
not be rootdn
[15/Jul/2009:18:44:48 +0200] - flush_ber() wrote 43 bytes to socket 65
[15/Jul/2009:18:44:48 +0200] - <= send_ldap_result
[15/Jul/2009:18:44:48 +0200] - mapping tree release backend : example
[15/Jul/2009:18:44:48 +0200] - slapi_filter_free type 0x87
[15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() 
conn=0xb1557d68, handle=3
[15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() 
returning NO VALUE
[15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() 
conn=0xb1557cb8, handle=3
[15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() 
returning NO VALUE
[15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() 
conn=0xb1557c08, handle=3
[15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() 
returning NO VALUE
[15/Jul/2009:18:44:49 +0200] - listener got signaled
[15/Jul/2009:18:44:53 +0200] - Event id a19b958 called at 1247676293 
(scheduled for 1247676293)
[15/Jul/2009:18:44:55 +0200] - ldbm backend flushing
[15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing
[15/Jul/2009:18:44:55 +0200] - ldbm backend flushing
[15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing

The problem seems the "ACL preoperation" plugin. Indeed if i disable 
this plugin, it WORKS.
But i cannot disable this plugin.

Any ideas to solve the problem??

Thanks and sorry in advance for my bad English
//

------------------------------------------------------------------------

--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

<<attachment: smime.p7s>>
--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users