Michal Rejda wrote:
> Michal Rejda wrote:
>
>>> Michal Rejda wrote:
>>>
>>>
>>>>> Michal Rejda wrote:
>>>>>
>>>>>
>>>>>
>>>>>>> Michal Rejda wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>> Michal Rejda wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>> From:
fedora-directory-users-bounces(a)redhat.com
>>>>>>>>>>>
>>>>>>>>>>>
>>> [mailto:fedora-
>>>
>>>
>>>>>>>>>>> directory-users-bounces(a)redhat.com] On Behalf
Of Rich
>>>>>>>>>>>
>>>>>>>>>>>
>>> Megginson
>>>
>>>
>>>>>>>>>>> Sent: Tuesday, April 14, 2009 4:25 PM
>>>>>>>>>>> To: General discussion list for the Fedora
Directory server
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>> project.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>>> Subject: Re: [Fedora-directory-users] LDAP
proxy
>>>>>>>>>>>
>>>>>>>>>>> Michal Rejda wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> I tried to use
http://tinyurl.com/culeft.
But the database
>>>>>>>>>>>> link
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> doesn't work. I setup the database link
to the Active
>>>>>>>>>>>
>>>>>>>>>>>
>>> Directory
>>>
>>>
>>>>>>> (and
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>>> OpenLDAP). When I looked into Wireshark log,
FDS send search
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>> request
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>>> with controls:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> 2.16.840.1.113730.3.4.2
>>>>>>>>>>>> 2.16.840.1.113730.3.4.12
>>>>>>>>>>>> And the AD server responded: Unavailable
Critical
>>>>>>>>>>>>
> Extension.
>
>>>>>>>>>>>> I tried to remove this two controls from
Database Link
>>>>>>>>>>>> Settings
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>> (in
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>>> administration console) but it didn't
help. The server
>>>>>>>>>>>
> didn't
>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>> return
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>>> the message above, but the administrative
console show error
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>> dialog.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>>> What error?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> I tried it again and the error message is
exactly:
>>>>>>>>>>
>>>>>>>>>> Error fading object 'dn: dc=example,
dc=com'.
>>>>>>>>>> The error send by the server was:
>>>>>>>>>> ".
>>>>>>>>>>
>>>>>>>>>> In the Whireshark log was still the search
request witch
>>>>>>>>>>
>>>>>>>>>>
>>> control:
>>>
>>>
>>>>>>>>>> 2.16.840.1.113730.3.4.2
>>>>>>>>>>
>>>>>>>>>> Why is this control needed by the server when I
removed it
>>>>>>>>>> from
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Database link settings?
>>>>>>>>>
>>>>>>>>> I'm not sure - maybe the console is not working
correctly. Try
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>> this:
>>>>>
>>>>>
>>>>>
>>>>>>>>> 1) Shutdown the server
>>>>>>>>> 2) cd /etc/dirsrv/slapd-yourinstance
>>>>>>>>> 3) edit dse.ldif - look for the entry
>>>>>>>>> dn: cn=config,cn=chaining
database,cn=plugins,cn=config
>>>>>>>>> 4) edit the nsTransmittedControls attribute - remove
>>>>>>>>> 2.16.840.1.113730.3.4.2
>>>>>>>>> 5) save and restart the server
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> I looked into dse.ldif for a nsTransmittedControls
attribute.
>>>>>>>> There
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic
>>>>>>> 2.16.840.1.113730.3.4.2.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Isn't the 2.16.840.1.113730.3.4.2 hardcoded?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> If it is, I don't see it. There is no mention of
managedsa or
>>>>>>> 2.16.840.1.113730.3.4.2 anywhere in the chaining backend
code.
>>>>>>> The only place it is mentioned is in the default list of
>>>>>>> nsTransmittedControls in the template-dse.ldif used during
new
>>>>>>> instance creation.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Why is this so necessary?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> It's not necessary, and I'm not sure where it is
coming from.
>>>>>>> Once place might be an internal operation, but I'm not
sure what
>>>>>>> internal operation would be doing this. You might also try
to
>>>>>>> remove nsActiveChainingComponents and
>>>>>>> nsPossibleChainingComponents to see
>>>>>>>
>>>>>>>
>>>>>>>
>>>>> if
>>>>>
>>>>>
>>>>>
>>>>>>> one of those components is doing an internal operation with
>>>>>>> managedsait set.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> I removed nsActiveChainingComponents and
>>>>>> nsPossibleChainingComponents
>>>>>>
>>>>>>
>>>>>>
>>>>> and it didn't help.
>>>>>
>>>>> Then I'm not sure where it's coming from. I suppose you
could
>>>>> enable tracing in the directory server and see if there is
>>>>>
> anything
>
>>>>> interesting in the error log - see
>>>>>
http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
>>>>>
>>>>>
>>>>>
>>>> In the attachment is the part of the server error log. I removed
>>>>
> all
>
>>>> messages before I click on the exclamation mark before the DN in
>>>>
> the
>
>>>> Fedora administration console -> Directory folder tab. I don't
>>>> understand this log. It is helpful for you?
>>>>
>>>>
>>>>
>>>>
>>> Ah, I see. You are using the console to try to browse the AD tree?
>>> And you are using the console admin user "admin"? Try ldapsearch
>>>
> from
>
>>> the command line, and attempt to authenticate as an AD user (e.g.
>>> cn=administrator,cn=users,dc=example,dc=com).
>>>
>>>
>> Yes, you are right. I use the console to browse AD tree. But I do
>>
> this because there is attention marker before the root suffix (lib-
> w2k3r2) in the Directory tab and I just double click on it.
>
>> I tried ldapsearch using AD user (Administrator). I'm able to login
>>
> but the ldapsearch don't show any results (I use Apache Directory
> Studio). When I looked into Whireshark log, I now see that another
> critical extension is missing: 2.16.840.1.113730.3.4.12. The log is in
> the attachment.
>
> Make sure 2.16.840.1.113730.3.4.12 is not in the transmitted controls.
> Set nsProxiedAuthorization to 0 - that should make it not use
> 2.16.840.1.113730.3.4.12 which is the proxyauth control.
>
It works. Thank you very much! I can connect to the AD and list users and whatever I
want.
I have one more difficulty. When I send ldapmodify to the node in the AD, FDS add to this
request two more attributes (modifiersname, modifytimestamp). AD don't know these
attributes and returns the error (errorMessage: 00000057: LdapErr: DSID-0C090A85, comment:
Error in attribute conversion operation, data 0, vece). Is it possible to disable this
functionality
Yes. This is the nsslapd-lastmod attribute in cn=config - set this to
0
or rewrite attributes name into AD attributes name (e.g.
modifytimestamp -> whenChanged)? I cannot change AD schema.
No, it's not possible to map it.
BTW, I would really appreciate it if you could write up something for
the wiki about "using chaining to create an AD 'view'" - if you would
rather just send me the info in an email, that would be fine too.
>>>>>>>>>>>>> Michal Rejda wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi all,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I’m trying to setup proxy on FDS
to another LDAP server
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>> (OpenLDAP
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>>>>>> and Active Directory). I tried
two ways, but none of
>>>>>>>>>>>>>>
> these
>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>> works:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>>>>>> 1) New database link to LDAP
server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> - The remote LDAP server
(OpenLDAP) returns: null.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>> manageDSAit
>>>>>
>>>>>
>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> control
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> value not found
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> You might have to tweak the controls
used by chaining -
>>>>>>>>>>>>>
> see
>
>>>>>>>>>>>>>
http://tinyurl.com/culeft
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2) Create multiple-master
replication and setup other
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>> server
>>>
>>>
>>>>>>>>>>>>>> as
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> consumer.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> - But this show error: 255
Replication error acquiring
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>> replica:
>>>>>
>>>>>
>>>>>
>>>>>>>>>>>>>> unknown error.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> Replication will only work to a
SunDS, not to any other
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>> vendor.
>>>>>
>>>>>
>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> My question is: Is there way how
to setup proxy to access
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>> another
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>>>>> LDAP
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> server from Fedora DS? I know
that is possible to use AD
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>> sync,
>>>>>
>>>>>
>>>>>
>>>>>>>>> but
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>> I
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>>> cannot install anything on the AD
server. The second
>>>>>>>>>>>>>> reason why
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>> I
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>>>>> need
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> to setup proxy is to use data
stored in LDAP server
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>> (OpenLDAP,
>>>>>
>>>>>
>>>>>
>>>>>>>>>>>>>> Open Direcoty Server and Active
Directory) in one place.
>>>>>>>>>>>>>>
> I
>
>>>>>>>>>>>>>> need
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>> to
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>> update
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>>> them too. It is not necessary to
synchronize passwords.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> See also
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>
http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration
>
>>>>>>>
>>>>>>>
>>>>>>>>>>>>>> Thank you for reply.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Michal
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>> --
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users(a)redhat.com
>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users(a)redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>> -------------------------------------------------------------------
>>>>
> -
>
>>>> -
>>>>
>>>>
>>> -
>>>
>>>
>>>> --
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users(a)redhat.com
>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>>
>>>>
>> ---------------------------------------------------------------------
>>
> -
>
>> --
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users(a)redhat.com
>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users