Michal Rejda wrote:>> Michal Rejda wrote:
>>
>>>> Michal Rejda wrote:
>>>>
>>>>
>>>>>> Michal Rejda wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-
>>>>>>>> directory-users-bounces@redhat.com] On Behalf
Of Rich Megginson
>>>>>>>> Sent: Tuesday, April 14, 2009 4:25 PM
>>>>>>>> To: General discussion list for the Fedora
Directory server
>>>>>>>>
>>>>>>>>
>>>> project.
>>>>
>>>>
>>>>>>>> Subject: Re: [Fedora-directory-users] LDAP
proxy
>>>>>>>>
>>>>>>>> Michal Rejda wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> I tried to use http://tinyurl.com/culeft.
But the database link
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> doesn''t work. I setup the database
link to the Active Directory
>>>>>>>>
>>>>>>>>
>>>> (and
>>>>
>>>>
>>>>>>>> OpenLDAP). When I looked into Wireshark log,
FDS send search
>>>>>>>>
>>>>>>>>
>>>> request
>>>>
>>>>
>>>>>>>> with controls:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> 2.16.840.1.113730.3.4.2
>>>>>>>>> 2.16.840.1.113730.3.4.12
>>>>>>>>> And the AD server responded: Unavailable
Critical Extension.
>>>>>>>>>
>>>>>>>>> I tried to remove this two controls from
Database Link Settings
>>>>>>>>>
>>>>>>>>>
>>>> (in
>>>>
>>>>
>>>>>>>> administration console) but it didn''t
help. The server didn''t
>>>>>>>>
>>>>>>>>
>>>> return
>>>>
>>>>
>>>>>>>> the message above, but the administrative
console show error
>>>>>>>>
>>>>>>>>
>>>> dialog.
>>>>
>>>>
>>>>>>>> What error?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> I tried it again and the error message is exactly:
>>>>>>>
>>>>>>> Error fading object ''dn: dc=example,
dc=com''.
>>>>>>> The error send by the server was:
>>>>>>> ".
>>>>>>>
>>>>>>> In the Whireshark log was still the search request
witch control:
>>>>>>> 2.16.840.1.113730.3.4.2
>>>>>>>
>>>>>>> Why is this control needed by the server when I
removed it from
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Database link settings?
>>>>>>
>>>>>> I''m not sure - maybe the console is not
working correctly. Try
>>>>>>
>> this:
>>
>>>>>> 1) Shutdown the server
>>>>>> 2) cd /etc/dirsrv/slapd-yourinstance
>>>>>> 3) edit dse.ldif - look for the entry
>>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config
>>>>>> 4) edit the nsTransmittedControls attribute - remove
>>>>>> 2.16.840.1.113730.3.4.2
>>>>>> 5) save and restart the server
>>>>>>
>>>>>>
>>>>>>
>>>>> I looked into dse.ldif for a nsTransmittedControls
attribute. There
>>>>>
>>>>>
>>>> is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic
>>>> 2.16.840.1.113730.3.4.2.
>>>>
>>>>
>>>>> Isn''t the 2.16.840.1.113730.3.4.2 hardcoded?
>>>>>
>>>>>
>>>> If it is, I don''t see it. There is no mention of
managedsa or
>>>> 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code.
The
>>>> only place it is mentioned is in the default list of
>>>> nsTransmittedControls in the template-dse.ldif used during new
>>>> instance creation.
>>>>
>>>>
>>>>> Why is this so necessary?
>>>>>
>>>>>
>>>>>
>>>> It''s not necessary, and I''m not sure where it
is coming from. Once
>>>> place might be an internal operation, but I''m not sure
what internal
>>>> operation would be doing this. You might also try to remove
>>>> nsActiveChainingComponents and nsPossibleChainingComponents to
see
>>>>
>> if
>>
>>>> one of those components is doing an internal operation with
>>>> managedsait set.
>>>>
>>>>
>>> I removed nsActiveChainingComponents and
nsPossibleChainingComponents
>>>
>> and it didn''t help.
>>
>> Then I''m not sure where it''s coming from. I suppose
you could enable
>> tracing in the directory server and see if there is anything
>> interesting in the error log - see
>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
>>
>
> In the attachment is the part of the server error log. I removed all
messages before I click on the exclamation mark before the DN in the Fedora
administration console -> Directory folder tab. I don''t understand
this log. It is helpful for you?
>
>
Ah, I see. You are using the console to try to browse the AD tree? And
you are using the console admin user "admin"? Try ldapsearch from the
command line, and attempt to authenticate as an AD user (e.g.
cn=administrator,cn=users,dc=example,dc=com).>>>>>>>>>> Michal Rejda wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Hi all,
>>>>>>>>>>>
>>>>>>>>>>> I’m trying to setup proxy on FDS to
another LDAP server
>>>>>>>>>>>
>>>>>>>>>>>
>>>> (OpenLDAP
>>>>
>>>>
>>>>>>>>>>> and Active Directory). I tried two
ways, but none of these
>>>>>>>>>>>
>>>>>>>>>>>
>>>> works:
>>>>
>>>>
>>>>>>>>>>> 1) New database link to LDAP
server.
>>>>>>>>>>>
>>>>>>>>>>> - The remote LDAP server (OpenLDAP)
returns: null.
>>>>>>>>>>>
>> manageDSAit
>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> control
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> value not found
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> You might have to tweak the controls
used by chaining - see
>>>>>>>>>> http://tinyurl.com/culeft
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> 2) Create multiple-master
replication and setup other server
>>>>>>>>>>> as
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> consumer.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> - But this show error: 255
Replication error acquiring
>>>>>>>>>>>
>> replica:
>>
>>>>>>>>>>> unknown error.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> Replication will only work to a SunDS,
not to any other
>>>>>>>>>>
>> vendor.
>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> My question is: Is there way how to
setup proxy to access
>>>>>>>>>>>
>>>>>>>>>>>
>>>> another
>>>>
>>>>
>>>>>>>>>>>
>>>>>>>>>> LDAP
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> server from Fedora DS? I know that
is possible to use AD
>>>>>>>>>>>
>> sync,
>>
>>>>>>>>>>>
>>>>>> but
>>>>>>
>>>>>>
>>>>>>
>>>>>>>> I
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>> cannot install anything on the AD
server. The second reason
>>>>>>>>>>> why
>>>>>>>>>>>
>>>>>>>>>>>
>>>> I
>>>>
>>>>
>>>>>>>>>>>
>>>>>>>>>> need
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> to setup proxy is to use data
stored in LDAP server
>>>>>>>>>>>
>> (OpenLDAP,
>>
>>>>>>>>>>> Open Direcoty Server and Active
Directory) in one place. I
>>>>>>>>>>> need
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>> to
>>>>>>
>>>>>>
>>>>>>
>>>>>>>> update
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>> them too. It is not necessary to
synchronize passwords.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> See also
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>
http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration
>>>>
>>>>
>>>>>>>>>>
>>>>>>>>>>> Thank you for reply.
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>>
>>>>>>>>>>> Michal
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
>>>>>
>>>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>