Re: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wednesday 29 July 2009 16:11:02 Roberto Polli wrote:
> now I'm tcpdumping, but really strange
tcpdump says the requests made by the local to the remote are almost identical 

both contains the user proxied (uid=admin)
both contains the controls (proxy and loop detection)
2.16.840.1.113730.3.4.12
1.3.6.1.4.1.1466.29539.12 

packages are:
fedora-ds-1.1.2-1.fc6
fedora-ds-base-1.1.3-2.fc6


Peace, 
R.

>
> old details down.
> Peace,
> R.
>
> > Roberto Polli wrote:
> > > On Thursday 23 July 2009 19:10:26 Rich Megginson wrote:> >>> case1)
> > >
> > >>>>> * I bind with uid=admin to the local DS tree to modify the
> > >>>>> "givenName" of a user on the remote server
> > >>>>> * the modify is successful, as the uid=admin is proxied and the
> > >>>>> "uid=admin" is replicated on the remote server
> > >>>>>
> > >>>>> case2)
> > >>>>> * same as case1 but I try to modify "userPassword"
> > >>>>> * the modify fails as the remote server won't evaluate aci on
> > >>>>> "uid=admin" but on "dn:proxyuser"
> > >>
> > >> So the user uid=admin - is that the Directory Manager (rootdn)?
> > >
> > > no
> > >
> > >> is it a member of roledn = "ldap:///cn=SA role,dc=babel,dc=it"?
> > >
> > > yes, and it can modify users' attribute, but password
> > >
> > >> Does roledn = "ldap:///cn=SA role,dc=babel,dc=it" exist on both the
> > >> local and remote servers?
> > >
> > > yes
> > >
> > >
> > > it seems that when I try to modify userPassword, the reference to
> > > uid=admin is not forwarded and only the proxyuser rights are used..
> >
> > I suppose you could turn on ACL summary logging to see what's going on.
> > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
> >
> > > Peace,
> > > R.

-- 

Roberto Polli
Babel S.r.l. - http://www.babel.it
Tel. +39.06.91801075 - fax +39.06.91612446
Tel. cel +39.340.6522736
P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma)

"Il seguente messaggio contiene informazioni riservate. Qualora questo 
messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene 
notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio 
erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto 
della legge in materia di protezione dei dati personali."


--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux