Re: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem

Rich Megginson <rmeggins@xxxxxxxxxx> · Wed, 15 Jul 2009 16:50:01 -0600

Giovanni Mancuso wrote:
Rich Megginson wrote:
Giovanni Mancuso wrote:
Hi,

i try to configure 2 Directory Server with db link.

I have first DS that point to second DS that have DB in filesystem.

I create a proxy user in second DS:

# tproxy, config
dn: uid=tproxy,cn=config
uid: tproxy
givenName: test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: proxy
cn: test proxy
userPassword:: *********************************************

and i create in first DS the "Dababase link" that use this user to 
bind in second DS.

In second DS i add the following aci:
What entry did you add this aci to?
I add the aci in root suffix (dc=example,dc=com)
Ok

(targetattr = "*") (target = "ldap:///dc=example,dc=com";) (version 
3.0;acl "AciChepermettetutto";allow (all)(userdn = 
"ldap:///uid=tproxy,cn=config";);)
you should not need this aci
Ok i delete this aci.

(targetattr = "*") (target = "ldap:///dc=example,dc=com";) (version 
3.0;acl "proxy acl";allow (proxy)(userdn = 
"ldap:///uid=tproxy,cn=config";);)
This is the correct aci

Bu if i try to execute the ldapserach in first directory server i 
have the following error:
proxy does not currently work with directory manager.  Directory 
manager is considered a "local" user to each directory server.  Try a 
different user.
Now, i create a new user in first DS:
By first DS do you mean the DS with the "real" database or the DS with 
the database link?  We also refer to the DS with the "real" database as 
the "remote" DS and the DS with the database link as the "local" DS.

dn: uid=ttestuser,cn=config
uid: testuser
givenName: test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: user
cn: test user
userPassword: *********

And if i try, to run ldapsearch with this user it works:

ldapsearch -LLL -s base -h localhost -x -p 20389 -D 
"uid=ttestuser,cn=config" -w ********* -b "dc=example,dc=com" 
"(objectclass=*)"
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain

The problem now is if i try to execute add in first directory server.

I create the following ldif:

cat /tmp/tempuser.ldif
dn: uid=conaltroustente,node=testgio,dc=example,dc=com
uid: conaltroustente
givenName: conaltroustente
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: dsdsds
cn: pippopidddssd dsdsds

And i try to run:

ldapmodify -a -h localhost -x -p 20389 -D "uid=ttestuser,cn=config" -w 
*********** -f /tmp/tempuser.ldif
adding new entry "uid=conaltroustente,node=testgio,dc=example,dc=com"
ldap_add: Insufficient access (50)
        additional info: Insufficient 'add' privilege to add the entry 
'uid=conaltroustente,node=testgio,dc=example,dc=com'.

Any ideas??
Did you add an ACI to allow the uid=ttestuser,cn=config to add entries 
under node=testgio,dc=example,dc=com ?

dapsearch -h localhost -x -p 20389 -D "cn=Directory Manager" -w 
********* -b "dc=example,dc=com" "(objectclass=*)"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 53 Server is unwilling to perform
text: Proxy dn should not be rootdn

# numResponses: 1

If i enable verbose logging in my error log i have:

[15/Jul/2009:18:44:47 +0200] - activity on 65r
[15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit() 
conn=0xb1557d68, handle=3
[15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit() 
returning NO VALUE      [15/Jul/2009:18:44:47 +0200] - read activity 
on 65                                           
[15/Jul/2009:18:44:47 +0200] - 
add_pb                                                        
[15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit() 
conn=0xb1557c08, handle=3
[15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit() 
returning NO VALUE      [15/Jul/2009:18:44:47 +0200] - 
get_pb                                                        
[15/Jul/2009:18:44:47 +0200] - conn 1 activity level = 
2                                     [15/Jul/2009:18:44:47 +0200] - 
conn 1 turbo rank = 2 out of 3 conns                          
[15/Jul/2009:18:44:47 +0200] - 
do_search                                                     
[15/Jul/2009:18:44:47 +0200] - => 
get_filter_internal                                        
[15/Jul/2009:18:44:47 +0200] - 
PRESENT                                                       
[15/Jul/2009:18:44:47 +0200] - <= get_filter_internal 
0                                      [15/Jul/2009:18:44:47 +0200] 
get_filter - before optimize: (objectClass=*)                   
[15/Jul/2009:18:44:47 +0200] get_filter -  after optimize: 
(objectClass=*)                   [15/Jul/2009:18:44:47 +0200] - 
SRCH base="dc=example,dc=com" scope=2 deref=0 sizelimit=0 
timelimit=0 attrsonly=0 filter="(objectClass=*)" attrs=ALL
[15/Jul/2009:18:44:47 +0200] - => 
get_ldapmessage_controls                                                                                         

[15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for 
2.16.840.1.113730.3.4.2)                                                      

[15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND)
[15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for 
1.3.6.1.4.1.42.2.27.8.5.1)
[15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND)
[15/Jul/2009:18:44:48 +0200] - <= get_ldapmessage_controls 2 controls
[15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 
2.16.840.1.113730.3.4.3)
[15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
[15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 
2.16.840.1.113730.3.4.20)
[15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
[15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 
2.16.840.1.113730.3.4.14)
[15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
[15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 
1.3.6.1.4.1.42.2.27.9.5.2)
[15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
[15/Jul/2009:18:44:48 +0200] - mapping tree selected backend : example
[15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit() 
conn=0xb1557cb8, handle=2
[15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit() 
returning NO VALUE
[15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit() 
conn=0xb1557cb8, handle=1
[15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit() 
returning NO VALUE
[15/Jul/2009:18:44:48 +0200] - => compute_limits: sizelimit=2000, 
timelimit=3600
[15/Jul/2009:18:44:48 +0200] - Calling plugin 'ACL preoperation' #1 
type 403
[15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 
2.16.840.1.113730.3.4.12)
[15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 1 (FOUND)
[15/Jul/2009:18:44:48 +0200] - => send_ldap_result 53::Proxy dn 
should not be rootdn
[15/Jul/2009:18:44:48 +0200] - flush_ber() wrote 43 bytes to socket 65
[15/Jul/2009:18:44:48 +0200] - <= send_ldap_result
[15/Jul/2009:18:44:48 +0200] - mapping tree release backend : example
[15/Jul/2009:18:44:48 +0200] - slapi_filter_free type 0x87
[15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() 
conn=0xb1557d68, handle=3
[15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() 
returning NO VALUE
[15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() 
conn=0xb1557cb8, handle=3
[15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() 
returning NO VALUE
[15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() 
conn=0xb1557c08, handle=3
[15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() 
returning NO VALUE
[15/Jul/2009:18:44:49 +0200] - listener got signaled
[15/Jul/2009:18:44:53 +0200] - Event id a19b958 called at 1247676293 
(scheduled for 1247676293)
[15/Jul/2009:18:44:55 +0200] - ldbm backend flushing
[15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing
[15/Jul/2009:18:44:55 +0200] - ldbm backend flushing
[15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing

The problem seems the "ACL preoperation" plugin. Indeed if i disable 
this plugin, it WORKS.
But i cannot disable this plugin.

Any ideas to solve the problem??

Thanks and sorry in advance for my bad English
//

------------------------------------------------------------------------ 

--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

------------------------------------------------------------------------

--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

------------------------------------------------------------------------

--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

<<attachment: smime.p7s>>
--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users