Re: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Giovanni Mancuso wrote:
Hi,

i try to configure 2 Directory Server with db link.

I have first DS that point to second DS that have DB in filesystem.

I create a proxy user in second DS:

# tproxy, config
dn: uid=tproxy,cn=config
uid: tproxy
givenName: test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: proxy
cn: test proxy
userPassword:: *********************************************

and i create in first DS the "Dababase link" that use this user to bind in second DS.

In second DS i add the following aci:
What entry did you add this aci to?

(targetattr = "*") (target = "ldap:///dc=example,dc=com";) (version 3.0;acl "AciChepermettetutto";allow (all)(userdn = "ldap:///uid=tproxy,cn=config";);)
you should not need this aci

(targetattr = "*") (target = "ldap:///dc=example,dc=com";) (version 3.0;acl "proxy acl";allow (proxy)(userdn = "ldap:///uid=tproxy,cn=config";);)
This is the correct aci

Bu if i try to execute the ldapserach in first directory server i have the following error:
proxy does not currently work with directory manager. Directory manager is considered a "local" user to each directory server. Try a different user.

dapsearch -h localhost -x -p 20389 -D "cn=Directory Manager" -w ********* -b "dc=example,dc=com" "(objectclass=*)"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 53 Server is unwilling to perform
text: Proxy dn should not be rootdn

# numResponses: 1

If i enable verbose logging in my error log i have:

[15/Jul/2009:18:44:47 +0200] - activity on 65r
[15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit() conn=0xb1557d68, handle=3 [15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [15/Jul/2009:18:44:47 +0200] - read activity on 65 [15/Jul/2009:18:44:47 +0200] - add_pb [15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit() conn=0xb1557c08, handle=3 [15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [15/Jul/2009:18:44:47 +0200] - get_pb [15/Jul/2009:18:44:47 +0200] - conn 1 activity level = 2 [15/Jul/2009:18:44:47 +0200] - conn 1 turbo rank = 2 out of 3 conns [15/Jul/2009:18:44:47 +0200] - do_search [15/Jul/2009:18:44:47 +0200] - => get_filter_internal [15/Jul/2009:18:44:47 +0200] - PRESENT [15/Jul/2009:18:44:47 +0200] - <= get_filter_internal 0 [15/Jul/2009:18:44:47 +0200] get_filter - before optimize: (objectClass=*) [15/Jul/2009:18:44:47 +0200] get_filter - after optimize: (objectClass=*) [15/Jul/2009:18:44:47 +0200] - SRCH base="dc=example,dc=com" scope=2 deref=0 sizelimit=0 timelimit=0 attrsonly=0 filter="(objectClass=*)" attrs=ALL [15/Jul/2009:18:44:47 +0200] - => get_ldapmessage_controls [15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for 2.16.840.1.113730.3.4.2)
[15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND)
[15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for 1.3.6.1.4.1.42.2.27.8.5.1)
[15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND)
[15/Jul/2009:18:44:48 +0200] - <= get_ldapmessage_controls 2 controls
[15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 2.16.840.1.113730.3.4.3)
[15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
[15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 2.16.840.1.113730.3.4.20)
[15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
[15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 2.16.840.1.113730.3.4.14)
[15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
[15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 1.3.6.1.4.1.42.2.27.9.5.2)
[15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
[15/Jul/2009:18:44:48 +0200] - mapping tree selected backend : example
[15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit() conn=0xb1557cb8, handle=2 [15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit() conn=0xb1557cb8, handle=1 [15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [15/Jul/2009:18:44:48 +0200] - => compute_limits: sizelimit=2000, timelimit=3600 [15/Jul/2009:18:44:48 +0200] - Calling plugin 'ACL preoperation' #1 type 403 [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 2.16.840.1.113730.3.4.12)
[15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 1 (FOUND)
[15/Jul/2009:18:44:48 +0200] - => send_ldap_result 53::Proxy dn should not be rootdn
[15/Jul/2009:18:44:48 +0200] - flush_ber() wrote 43 bytes to socket 65
[15/Jul/2009:18:44:48 +0200] - <= send_ldap_result
[15/Jul/2009:18:44:48 +0200] - mapping tree release backend : example
[15/Jul/2009:18:44:48 +0200] - slapi_filter_free type 0x87
[15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() conn=0xb1557d68, handle=3 [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() conn=0xb1557cb8, handle=3 [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() conn=0xb1557c08, handle=3 [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[15/Jul/2009:18:44:49 +0200] - listener got signaled
[15/Jul/2009:18:44:53 +0200] - Event id a19b958 called at 1247676293 (scheduled for 1247676293)
[15/Jul/2009:18:44:55 +0200] - ldbm backend flushing
[15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing
[15/Jul/2009:18:44:55 +0200] - ldbm backend flushing
[15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing

The problem seems the "ACL preoperation" plugin. Indeed if i disable this plugin, it WORKS.
But i cannot disable this plugin.

Any ideas to solve the problem??

Thanks and sorry in advance for my bad English
//

------------------------------------------------------------------------

--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

<<attachment: smime.p7s>>

--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux