[Fedora-directory-users] Admin-server/config-server
by tamarin p
Hey,
I've installed Fedora DS 1.1.3 on RHEL5 and configured two server instances
using setup-ds-admin.pl. It seems to work fine, including single-master
replication. I can manage both servers through the fedora-idm-console.
I'm left with some some questions I couldn't find answers to in the
documentation however, and was hoping someone could help me clear some of
them.
1) The Red Hat documentation makes references to both an admin server and a
configuration server. I can't seem to get a handle on what's what. Is it
simply two terms for the same thing or does one refer to the web-interface
while the other refers to the o=NetscapeRoot suffix on one of the ldap
instances?
2) Slightly connected with 1). Is it advisable to create a completely
separate ldap instance for the configuration server or does one generally
just use the first instance created? For example in my test setup I created
two instances. slapd-primary and slapd-secondary, where the configuration
server for secondary was set to ldap://ldap.test.org:389/o=NetscapeRoot. I'm
assuming pointers to all servers managed by this console etc. is stored
here. Would it instead be advisable to have a completely separate instance
for this, so that instead of slapd-primary and slapd-secondary, I'd have
slapd-admin, slapd-primary and slapd-secondary? In production (and further
along in my testing) they would all live on separate boxes obviously.
3) I'm assuming it's only possible to have one admin console/config server
per machine. Ie not possible to have four server instances on the same box
but have the first two managed through one console and the remaining two
through another (on the same machine)?
14 years, 11 months
[Fedora-directory-users] Force schema replication
by Juan Asensio Sánchez
Hi
Is there anyt way to force only the replication of the schema from one
server to another? I am having this error:
[24/Apr/2009:09:53:44 +0200] NSMMReplicationPlugin -
agmt="cn=GRS_ppal-GAPBU_back" (gapbu02bulp0102:636): Schema replication
update failed: Type or value exists
[24/Apr/2009:09:53:44 +0200] NSMMReplicationPlugin -
agmt="cn=GRS_ppal-GAPBU_back" (gapbu02bulp0102:636): Warning: unable to
replicate schema: rc=2
How can I get more info about this error?
Regards.
14 years, 11 months
RE: [Fedora-directory-users] LDAP proxy
by Michal Rejda
> Michal Rejda wrote:
> >> Michal Rejda wrote:
> >>
> >>>> Michal Rejda wrote:
> >>>>
> >>>>
> >>>>>> Michal Rejda wrote:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>> Michal Rejda wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>> -----Original Message-----
> >>>>>>>>>> From: fedora-directory-users-bounces(a)redhat.com
> >>>>>>>>>>
> >> [mailto:fedora-
> >>
> >>>>>>>>>> directory-users-bounces(a)redhat.com] On Behalf Of Rich
> >>>>>>>>>>
> >> Megginson
> >>
> >>>>>>>>>> Sent: Tuesday, April 14, 2009 4:25 PM
> >>>>>>>>>> To: General discussion list for the Fedora Directory server
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>> project.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>> Subject: Re: [Fedora-directory-users] LDAP proxy
> >>>>>>>>>>
> >>>>>>>>>> Michal Rejda wrote:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>> I tried to use http://tinyurl.com/culeft. But the database
> >>>>>>>>>>> link
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>> doesn't work. I setup the database link to the Active
> >>>>>>>>>>
> >> Directory
> >>
> >>>>>>>>>>
> >>>>>> (and
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>> OpenLDAP). When I looked into Wireshark log, FDS send search
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>> request
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>> with controls:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>> 2.16.840.1.113730.3.4.2
> >>>>>>>>>>> 2.16.840.1.113730.3.4.12
> >>>>>>>>>>> And the AD server responded: Unavailable Critical
> Extension.
> >>>>>>>>>>>
> >>>>>>>>>>> I tried to remove this two controls from Database Link
> >>>>>>>>>>> Settings
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>> (in
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>> administration console) but it didn't help. The server
> didn't
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>> return
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>> the message above, but the administrative console show error
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>> dialog.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>> What error?
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>> I tried it again and the error message is exactly:
> >>>>>>>>>
> >>>>>>>>> Error fading object 'dn: dc=example, dc=com'.
> >>>>>>>>> The error send by the server was:
> >>>>>>>>> ".
> >>>>>>>>>
> >>>>>>>>> In the Whireshark log was still the search request witch
> >>>>>>>>>
> >> control:
> >>
> >>>>>>>>> 2.16.840.1.113730.3.4.2
> >>>>>>>>>
> >>>>>>>>> Why is this control needed by the server when I removed it
> >>>>>>>>> from
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>> Database link settings?
> >>>>>>>>
> >>>>>>>> I'm not sure - maybe the console is not working correctly. Try
> >>>>>>>>
> >>>>>>>>
> >>>> this:
> >>>>
> >>>>
> >>>>>>>> 1) Shutdown the server
> >>>>>>>> 2) cd /etc/dirsrv/slapd-yourinstance
> >>>>>>>> 3) edit dse.ldif - look for the entry
> >>>>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config
> >>>>>>>> 4) edit the nsTransmittedControls attribute - remove
> >>>>>>>> 2.16.840.1.113730.3.4.2
> >>>>>>>> 5) save and restart the server
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>> I looked into dse.ldif for a nsTransmittedControls attribute.
> >>>>>>> There
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic
> >>>>>> 2.16.840.1.113730.3.4.2.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> Isn't the 2.16.840.1.113730.3.4.2 hardcoded?
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> If it is, I don't see it. There is no mention of managedsa or
> >>>>>> 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code.
> >>>>>> The only place it is mentioned is in the default list of
> >>>>>> nsTransmittedControls in the template-dse.ldif used during new
> >>>>>> instance creation.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> Why is this so necessary?
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> It's not necessary, and I'm not sure where it is coming from.
> >>>>>> Once place might be an internal operation, but I'm not sure what
> >>>>>> internal operation would be doing this. You might also try to
> >>>>>> remove nsActiveChainingComponents and
> >>>>>> nsPossibleChainingComponents to see
> >>>>>>
> >>>>>>
> >>>> if
> >>>>
> >>>>
> >>>>>> one of those components is doing an internal operation with
> >>>>>> managedsait set.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>> I removed nsActiveChainingComponents and
> >>>>> nsPossibleChainingComponents
> >>>>>
> >>>>>
> >>>> and it didn't help.
> >>>>
> >>>> Then I'm not sure where it's coming from. I suppose you could
> >>>> enable tracing in the directory server and see if there is
> anything
> >>>> interesting in the error log - see
> >>>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
> >>>>
> >>>>
> >>> In the attachment is the part of the server error log. I removed
> all
> >>> messages before I click on the exclamation mark before the DN in
> the
> >>> Fedora administration console -> Directory folder tab. I don't
> >>> understand this log. It is helpful for you?
> >>>
> >>>
> >>>
> >> Ah, I see. You are using the console to try to browse the AD tree?
> >> And you are using the console admin user "admin"? Try ldapsearch
> from
> >> the command line, and attempt to authenticate as an AD user (e.g.
> >> cn=administrator,cn=users,dc=example,dc=com).
> >>
> >
> > Yes, you are right. I use the console to browse AD tree. But I do
> this because there is attention marker before the root suffix (lib-
> w2k3r2) in the Directory tab and I just double click on it.
> > I tried ldapsearch using AD user (Administrator). I'm able to login
> but the ldapsearch don't show any results (I use Apache Directory
> Studio). When I looked into Whireshark log, I now see that another
> critical extension is missing: 2.16.840.1.113730.3.4.12. The log is in
> the attachment.
> >
> Make sure 2.16.840.1.113730.3.4.12 is not in the transmitted controls.
> Set nsProxiedAuthorization to 0 - that should make it not use
> 2.16.840.1.113730.3.4.12 which is the proxyauth control.
It works. Thank you very much! I can connect to the AD and list users and whatever I want.
I have one more difficulty. When I send ldapmodify to the node in the AD, FDS add to this request two more attributes (modifiersname, modifytimestamp). AD don't know these attributes and returns the error (errorMessage: 00000057: LdapErr: DSID-0C090A85, comment: Error in attribute conversion operation, data 0, vece). Is it possible to disable this functionality or rewrite attributes name into AD attributes name (e.g. modifytimestamp -> whenChanged)? I cannot change AD schema.
> >
> >>>>>>>>>>>> Michal Rejda wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>> Hi all,
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Im trying to setup proxy on FDS to another LDAP server
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>> (OpenLDAP
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>>>>> and Active Directory). I tried two ways, but none of
> these
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>> works:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>>>>> 1) New database link to LDAP server.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> - The remote LDAP server (OpenLDAP) returns: null.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>> manageDSAit
> >>>>
> >>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>> control
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>> value not found
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>> You might have to tweak the controls used by chaining -
> see
> >>>>>>>>>>>> http://tinyurl.com/culeft
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>> 2) Create multiple-master replication and setup other
> >>>>>>>>>>>>>
> >> server
> >>
> >>>>>>>>>>>>> as
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>> consumer.
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>> - But this show error: 255 Replication error acquiring
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>> replica:
> >>>>
> >>>>
> >>>>>>>>>>>>> unknown error.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>> Replication will only work to a SunDS, not to any other
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>> vendor.
> >>>>
> >>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>> My question is: Is there way how to setup proxy to access
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>> another
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>>>> LDAP
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>> server from Fedora DS? I know that is possible to use AD
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>> sync,
> >>>>
> >>>>
> >>>>>>>> but
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>> I
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>>>> cannot install anything on the AD server. The second
> >>>>>>>>>>>>> reason why
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>> I
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>>>> need
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>> to setup proxy is to use data stored in LDAP server
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>> (OpenLDAP,
> >>>>
> >>>>
> >>>>>>>>>>>>> Open Direcoty Server and Active Directory) in one place.
> I
> >>>>>>>>>>>>> need
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>> to
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>> update
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>>>> them too. It is not necessary to synchronize passwords.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>> See also
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>
> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>>>>> Thank you for reply.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Regards,
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Michal
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>> --
> >>>>>>> Fedora-directory-users mailing list
> >>>>>>> Fedora-directory-users(a)redhat.com
> >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>> --
> >>>>> Fedora-directory-users mailing list
> >>>>> Fedora-directory-users(a)redhat.com
> >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>>>
> >>>>>
> >>>>>
> >>> -------------------------------------------------------------------
> -
> >>> -
> >>>
> >> -
> >>
> >>> --
> >>>
> >>> --
> >>> Fedora-directory-users mailing list
> >>> Fedora-directory-users(a)redhat.com
> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>
> >>>
> >
> >
> > ---------------------------------------------------------------------
> -
> > --
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
>
14 years, 11 months
[Fedora-directory-users] dna
by Edward "koko" Konetzko
I have been wanting to test out lib dna, can anyone tell me why the
redhat-ds-base packages have on their configure line "--disable-dna".
Are there problems with dns in the 8.0.4 release? Also if there is a
better way of using dna with Redhat Directory Server can someone point
me in that direction? I do not have official Redhat support for
Directory Server as I am testing it out before we go through the whole
process of purchasing it.
Thank you for your help in advance.
Edward
14 years, 11 months
[Fedora-directory-users] ConfigFile directives in .inf-files
by tamarin p
I'm (still :) trying to fully automate ldap installation for our specific
deployment with setup-ds.pl in silent mode.. I have an inf which uses
ConfigFile directives to try to define indexes, cache sizes and other
settings for the directory server. My problem is, only a small part of those
ConfigFiles are applied when I check dse.ldif after, but no errors anywhere.
I tried using --debug but the only output I could see of relevance was:
"+Processing config.ldif ..."
"+Processing indexes.ldif ..."
NONE of the settings in the ConfigFile make it to dse.ldif except
"nsslapd-dbcachesize" and "nsslapd-cachememsize".. These are both set
properly, or I would doubt if the files had been processed at all. But the
the replication manager isn't created and size/timelimits are not set and so
on, and the same with indexes. I can see nothing in the output log from the
script and there's nothing in the logs for the newly created server.
If I instead add the ConfigFiles with ldapmodify, things work fine.
My guess is I'm trying to modify attributes that don't exist yet? The Red
Hat documentation at
http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Gu...
to indicate that I should be able to create a replication manager, but
the difference I can tell from the docs is that their RM is made in the
directory itself while I'm trying to use the cn=config database.
Here's a snippet from my config.ldif:
# doesnt get created
dn: cn=replication manager,cn=config
changetype: add
objectClass: inetorgperson
objectClass: person
objectClass: top
cn: replication manager
sn: RM
userPassword: password
passwordExpirationTime: 20380119031407Z
# is set properly
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace: nsslapd-dbcachesize
nsslapd-dbcachesize: 512000000
# is not set
dn: cn=default instance config,cn=chaining database,cn=plugins,cn=config
changetype: modify
replace: nsslapd-sizelimit
nsslapd-sizelimit: 20000
-
replace: nsslapd-timelimit
nsslapd-timelimit: 120
# is set
dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace: nsslapd-cachememsize
nsslapd-cachememsize: 512000000
14 years, 11 months
[Fedora-directory-users] DSGW Unable to Authenticate
by Peter Green
Hi,
I have recently set up FDS on CentOS 5.2 (i386), following the
installation instructions:
http://directory.fedoraproject.org/wiki/Install_Guide
I have also enabled SSL on the system:
http://directory.fedoraproject.org/wiki/Howto:SSL
I've also created a certificate DB and imported my CA certificate into
it, as per the instructions here:
http://directory.fedoraproject.org/wiki/DSGW
However, the DSGW is unable to authenticate me, displaying the following
error message: "Authentication failed because the server was unable to
generate authentication credentials. The authentication database could
not be opened."
The odd thing is that the Directory Server Express tool (which allows
users to edit their profile and change their password via a web page)
_can_ authenticate users.
I can't see anything useful output in the admin server logs
(/var/log/dirsrv/admin-serv/*), so I'm a bit stuck and not sure what
else to investigate.
I did pop onto the #fedora-ds IRC channel yesterday and was informed
that the DSGW component isn't used much. So, my next port of call is
this mailing list!
I really need some sort of web-based management tool for administering
users and groups, at a minimum. phpLDAPadmin has been suggested and I
notice a page on the FDS wiki for this, but I wondered if anyone could
assist with DSGW first? Otherwise, anybody have any pointers about using
phpLDAPadmin?
Thank you in advance,
--
Peter Green B.Sc. (Hons) M.B.C.S.
Director / Technical Lead
Bexley I.T. Solutions Ltd.
M: +44 (0) 7908 135 070
14 years, 11 months
RE: [Fedora-directory-users] LDAP proxy
by Michal Rejda
> Michal Rejda wrote:
> >> Michal Rejda wrote:
> >>
> >>>> Michal Rejda wrote:
> >>>>
> >>>>
> >>>>>> Michal Rejda wrote:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>> Michal Rejda wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>> Michal Rejda wrote:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>>> -----Original Message-----
> >>>>>>>>>>>> From: fedora-directory-users-bounces(a)redhat.com
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>> [mailto:fedora-
> >>>>
> >>>>
> >>>>>>>>>>>> directory-users-bounces(a)redhat.com] On Behalf Of Rich
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>> Megginson
> >>>>
> >>>>
> >>>>>>>>>>>> Sent: Tuesday, April 14, 2009 4:25 PM
> >>>>>>>>>>>> To: General discussion list for the Fedora Directory
> server
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>> project.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>> Subject: Re: [Fedora-directory-users] LDAP proxy
> >>>>>>>>>>>>
> >>>>>>>>>>>> Michal Rejda wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>> I tried to use http://tinyurl.com/culeft. But the
> database
> >>>>>>>>>>>>> link
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>> doesn't work. I setup the database link to the Active
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>> Directory
> >>>>
> >>>>
> >>>>>>>> (and
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>> OpenLDAP). When I looked into Wireshark log, FDS send
> >>>>>>>>>>>> search
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>> request
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>> with controls:
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>> 2.16.840.1.113730.3.4.2
> >>>>>>>>>>>>> 2.16.840.1.113730.3.4.12
> >>>>>>>>>>>>> And the AD server responded: Unavailable Critical
> >>>>>>>>>>>>>
> >> Extension.
> >>
> >>>>>>>>>>>>> I tried to remove this two controls from Database Link
> >>>>>>>>>>>>> Settings
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>> (in
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>> administration console) but it didn't help. The server
> >>>>>>>>>>>>
> >> didn't
> >>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>> return
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>> the message above, but the administrative console show
> >>>>>>>>>>>> error
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>> dialog.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>> What error?
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>> I tried it again and the error message is exactly:
> >>>>>>>>>>>
> >>>>>>>>>>> Error fading object 'dn: dc=example, dc=com'.
> >>>>>>>>>>> The error send by the server was:
> >>>>>>>>>>> ".
> >>>>>>>>>>>
> >>>>>>>>>>> In the Whireshark log was still the search request witch
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>> control:
> >>>>
> >>>>
> >>>>>>>>>>> 2.16.840.1.113730.3.4.2
> >>>>>>>>>>>
> >>>>>>>>>>> Why is this control needed by the server when I removed it
> >>>>>>>>>>> from
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>> Database link settings?
> >>>>>>>>>>
> >>>>>>>>>> I'm not sure - maybe the console is not working correctly.
> >>>>>>>>>> Try
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>> this:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>> 1) Shutdown the server
> >>>>>>>>>> 2) cd /etc/dirsrv/slapd-yourinstance
> >>>>>>>>>> 3) edit dse.ldif - look for the entry
> >>>>>>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config
> >>>>>>>>>> 4) edit the nsTransmittedControls attribute - remove
> >>>>>>>>>> 2.16.840.1.113730.3.4.2
> >>>>>>>>>> 5) save and restart the server
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>> I looked into dse.ldif for a nsTransmittedControls attribute.
> >>>>>>>>> There
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>> is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic
> >>>>>>>> 2.16.840.1.113730.3.4.2.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>> Isn't the 2.16.840.1.113730.3.4.2 hardcoded?
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>> If it is, I don't see it. There is no mention of managedsa or
> >>>>>>>> 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code.
> >>>>>>>> The only place it is mentioned is in the default list of
> >>>>>>>> nsTransmittedControls in the template-dse.ldif used during new
> >>>>>>>> instance creation.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>> Why is this so necessary?
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>> It's not necessary, and I'm not sure where it is coming from.
> >>>>>>>> Once place might be an internal operation, but I'm not sure
> >>>>>>>> what internal operation would be doing this. You might also
> try
> >>>>>>>> to remove nsActiveChainingComponents and
> >>>>>>>> nsPossibleChainingComponents to see
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>> if
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>> one of those components is doing an internal operation with
> >>>>>>>> managedsait set.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>> I removed nsActiveChainingComponents and
> >>>>>>> nsPossibleChainingComponents
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> and it didn't help.
> >>>>>>
> >>>>>> Then I'm not sure where it's coming from. I suppose you could
> >>>>>> enable tracing in the directory server and see if there is
> >>>>>>
> >> anything
> >>
> >>>>>> interesting in the error log - see
> >>>>>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>> In the attachment is the part of the server error log. I removed
> >>>>>
> >> all
> >>
> >>>>> messages before I click on the exclamation mark before the DN in
> >>>>>
> >> the
> >>
> >>>>> Fedora administration console -> Directory folder tab. I don't
> >>>>> understand this log. It is helpful for you?
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>> Ah, I see. You are using the console to try to browse the AD tree?
> >>>> And you are using the console admin user "admin"? Try ldapsearch
> >>>>
> >> from
> >>
> >>>> the command line, and attempt to authenticate as an AD user (e.g.
> >>>> cn=administrator,cn=users,dc=example,dc=com).
> >>>>
> >>>>
> >>> Yes, you are right. I use the console to browse AD tree. But I do
> >>>
> >> this because there is attention marker before the root suffix (lib-
> >> w2k3r2) in the Directory tab and I just double click on it.
> >>
> >>> I tried ldapsearch using AD user (Administrator). I'm able to login
> >>>
> >> but the ldapsearch don't show any results (I use Apache Directory
> >> Studio). When I looked into Whireshark log, I now see that another
> >> critical extension is missing: 2.16.840.1.113730.3.4.12. The log is
> >> in the attachment.
> >>
> >> Make sure 2.16.840.1.113730.3.4.12 is not in the transmitted
> controls.
> >> Set nsProxiedAuthorization to 0 - that should make it not use
> >> 2.16.840.1.113730.3.4.12 which is the proxyauth control.
> >>
> >
> > It works. Thank you very much! I can connect to the AD and list users
> and whatever I want.
> > I have one more difficulty. When I send ldapmodify to the node in the
> > AD, FDS add to this request two more attributes (modifiersname,
> > modifytimestamp). AD don't know these attributes and returns the
> error
> > (errorMessage: 00000057: LdapErr: DSID-0C090A85, comment: Error in
> > attribute conversion operation, data 0, vece). Is it possible to
> > disable this functionality
> Yes. This is the nsslapd-lastmod attribute in cn=config - set this to 0
> > or rewrite attributes name into AD attributes name (e.g.
> modifytimestamp -> whenChanged)? I cannot change AD schema.
> >
> No, it's not possible to map it.
Perhaps one of last questions on LDAP proxy :-) Is there a way how to setup permissions to list/searching AD using chaining? I'm looking into administration guide and if I see it well, I have to setup ACI on the AD. But AD does not have ACI attributes. I tried to add ACI on the cn=link-ads,cn=chaining database,cn=plugins,cn=config but it didn't help.
>
> BTW, I would really appreciate it if you could write up something for
> the wiki about "using chaining to create an AD 'view'" - if you would
> rather just send me the info in an email, that would be fine too.
> >
> >>>>>>>>>>>>>> Michal Rejda wrote:
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Hi all,
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Im trying to setup proxy on FDS to another LDAP server
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>> (OpenLDAP
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>>>>> and Active Directory). I tried two ways, but none of
> >>>>>>>>>>>>>>>
> >> these
> >>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>> works:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>>>>> 1) New database link to LDAP server.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> - The remote LDAP server (OpenLDAP) returns: null.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>> manageDSAit
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>> control
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> value not found
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>> You might have to tweak the controls used by chaining -
> >>>>>>>>>>>>>>
> >> see
> >>
> >>>>>>>>>>>>>> http://tinyurl.com/culeft
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> 2) Create multiple-master replication and setup other
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>> server
> >>>>
> >>>>
> >>>>>>>>>>>>>>> as
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>> consumer.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> - But this show error: 255 Replication error acquiring
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>> replica:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>>>>>>> unknown error.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Replication will only work to a SunDS, not to any other
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>> vendor.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> My question is: Is there way how to setup proxy to
> >>>>>>>>>>>>>>> access
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>> another
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>>>> LDAP
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> server from Fedora DS? I know that is possible to use
> AD
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>> sync,
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>> but
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>>> I
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>>>> cannot install anything on the AD server. The second
> >>>>>>>>>>>>>>> reason why
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>> I
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>>>> need
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> to setup proxy is to use data stored in LDAP server
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>> (OpenLDAP,
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>>>>>>> Open Direcoty Server and Active Directory) in one
> place.
> >>>>>>>>>>>>>>>
> >> I
> >>
> >>>>>>>>>>>>>>> need
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>> to
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>>> update
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>>>> them too. It is not necessary to synchronize passwords.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>> See also
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration
> >>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>>>>>>> Thank you for reply.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Regards,
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Michal
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> Fedora-directory-users mailing list
> >>>>>>>>> Fedora-directory-users(a)redhat.com
> >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-
> users
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>> --
> >>>>>>> Fedora-directory-users mailing list
> >>>>>>> Fedora-directory-users(a)redhat.com
> >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>> -----------------------------------------------------------------
> -
> >>>>> -
> >>>>>
> >> -
> >>
> >>>>> -
> >>>>>
> >>>>>
> >>>> -
> >>>>
> >>>>
> >>>>> --
> >>>>>
> >>>>> --
> >>>>> Fedora-directory-users mailing list
> >>>>> Fedora-directory-users(a)redhat.com
> >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>>>
> >>>>>
> >>>>>
> >>> -------------------------------------------------------------------
> -
> >>> -
> >>>
> >> -
> >>
> >>> --
> >>>
> >>> --
> >>> Fedora-directory-users mailing list
> >>> Fedora-directory-users(a)redhat.com
> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>
> >>>
> >
> >
> > ---------------------------------------------------------------------
> -
> > --
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
>
14 years, 11 months