Fedora directory users - Apr 2009 - RE: LDAP proxy

> Michal Rejda wrote:
> >
> >> -----Original Message-----
> >> From: fedora-directory-users-bounces@redhat.com [mailto:fedora-
> >> directory-users-bounces@redhat.com] On Behalf Of Rich Megginson
> >> Sent: Tuesday, April 14, 2009 4:25 PM
> >> To: General discussion list for the Fedora Directory server
project.
> >> Subject: Re: [Fedora-directory-users] LDAP proxy
> >>
> >> Michal Rejda wrote:
> >>
> >>> I tried to use http://tinyurl.com/culeft. But the database
link
> >>>
> >> doesn''t work. I setup the database link to the Active
Directory (and
> >> OpenLDAP). When I looked into Wireshark log, FDS send search
request
> >> with controls:
> >>
> >>> 	2.16.840.1.113730.3.4.2
> >>> 	2.16.840.1.113730.3.4.12
> >>> And the AD server responded: Unavailable Critical Extension.
> >>>
> >>> I tried to remove this two controls from Database Link
Settings (in
> >>>
> >> administration console) but it didn''t help. The server
didn''t return
> >> the message above, but the administrative console show error
dialog.
> >>
> >> What error?
> >>
> > I tried it again and the error message is exactly:
> >
> > Error fading object ''dn: dc=example, dc=com''.
> > The error send by the server was:
> > ".
> >
> > In the Whireshark log was still the search request witch control:
> > 	2.16.840.1.113730.3.4.2
> >
> > Why is this control needed by the server when I removed it from
> Database link settings?
> >
> I''m not sure - maybe the console is not working correctly. Try
this:
> 1) Shutdown the server
> 2) cd /etc/dirsrv/slapd-yourinstance
> 3) edit dse.ldif - look for the entry
> dn: cn=config,cn=chaining database,cn=plugins,cn=config
> 4) edit the nsTransmittedControls attribute - remove
> 2.16.840.1.113730.3.4.2
> 5) save and restart the server
I looked into dse.ldif for a nsTransmittedControls attribute. There is only the
1.3.6.1.4.1.1466.29539.12. , not the problematic 2.16.840.1.113730.3.4.2.
Isn''t the 2.16.840.1.113730.3.4.2 hardcoded? Why is this so necessary?
> >
> >>>> Michal Rejda wrote:
> >>>>
> >>>>
> >>>>> Hi all,
> >>>>>
> >>>>> I’m trying to setup proxy on FDS to another LDAP
server (OpenLDAP
> >>>>> and Active Directory). I tried two ways, but none of
these works:
> >>>>>
> >>>>> 1) New database link to LDAP server.
> >>>>>
> >>>>> - The remote LDAP server (OpenLDAP) returns: null.
manageDSAit
> >>>>>
> >>>>>
> >>>> control
> >>>>
> >>>>
> >>>>> value not found
> >>>>>
> >>>>>
> >>>>>
> >>>> You might have to tweak the controls used by chaining -
see
> >>>> http://tinyurl.com/culeft
> >>>>
> >>>>
> >>>>> 2) Create multiple-master replication and setup other
server as
> >>>>>
> >>>>>
> >>>> consumer.
> >>>>
> >>>>
> >>>>> - But this show error: 255 Replication error acquiring
replica:
> >>>>> unknown error.
> >>>>>
> >>>>>
> >>>>>
> >>>> Replication will only work to a SunDS, not to any other
vendor.
> >>>>
> >>>>
> >>>>> My question is: Is there way how to setup proxy to
access another
> >>>>>
> >>>>>
> >>>> LDAP
> >>>>
> >>>>
> >>>>> server from Fedora DS? I know that is possible to use
AD sync,
> but
> >>>>>
> >> I
> >>
> >>>>> cannot install anything on the AD server. The second
reason why I
> >>>>>
> >>>>>
> >>>> need
> >>>>
> >>>>
> >>>>> to setup proxy is to use data stored in LDAP server
(OpenLDAP,
> >>>>> Open Direcoty Server and Active Directory) in one
place. I need
> to
> >>>>>
> >> update
> >>
> >>>>> them too. It is not necessary to synchronize
passwords.
> >>>>>
> >>>>>
> >>>>>
> >>>> See also
> >>>>
http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration
> >>>>
> >>>>
> >>>>> Thank you for reply.
> >>>>>
> >>>>> Regards,
> >>>>>
> >>>>> Michal
> >>>>>
> >>>>>

Michal Rejda wrote:
>> Michal Rejda wrote:
>>     
>>>> -----Original Message-----
>>>> From: fedora-directory-users-bounces@redhat.com [mailto:fedora-
>>>> directory-users-bounces@redhat.com] On Behalf Of Rich Megginson
>>>> Sent: Tuesday, April 14, 2009 4:25 PM
>>>> To: General discussion list for the Fedora Directory server
project.
>>>> Subject: Re: [Fedora-directory-users] LDAP proxy
>>>>
>>>> Michal Rejda wrote:
>>>>
>>>>         
>>>>> I tried to use http://tinyurl.com/culeft. But the database
link
>>>>>
>>>>>           
>>>> doesn''t work. I setup the database link to the Active
Directory (and
>>>> OpenLDAP). When I looked into Wireshark log, FDS send search
request
>>>> with controls:
>>>>
>>>>         
>>>>> 	2.16.840.1.113730.3.4.2
>>>>> 	2.16.840.1.113730.3.4.12
>>>>> And the AD server responded: Unavailable Critical
Extension.
>>>>>
>>>>> I tried to remove this two controls from Database Link
Settings (in
>>>>>
>>>>>           
>>>> administration console) but it didn''t help. The server
didn''t return
>>>> the message above, but the administrative console show error
dialog.
>>>>
>>>> What error?
>>>>
>>>>         
>>> I tried it again and the error message is exactly:
>>>
>>> Error fading object ''dn: dc=example, dc=com''.
>>> The error send by the server was:
>>> ".
>>>
>>> In the Whireshark log was still the search request witch control:
>>> 	2.16.840.1.113730.3.4.2
>>>
>>> Why is this control needed by the server when I removed it from
>>>       
>> Database link settings?
>>     
>> I''m not sure - maybe the console is not working correctly. Try
this:
>> 1) Shutdown the server
>> 2) cd /etc/dirsrv/slapd-yourinstance
>> 3) edit dse.ldif - look for the entry
>> dn: cn=config,cn=chaining database,cn=plugins,cn=config
>> 4) edit the nsTransmittedControls attribute - remove
>> 2.16.840.1.113730.3.4.2
>> 5) save and restart the server
>>     
>
> I looked into dse.ldif for a nsTransmittedControls attribute. There is only
the 1.3.6.1.4.1.1466.29539.12. , not the problematic 2.16.840.1.113730.3.4.2.
> Isn''t the 2.16.840.1.113730.3.4.2 hardcoded?
If it is, I don''t see it. There is no mention of managedsa or 
2.16.840.1.113730.3.4.2 anywhere in the chaining backend code. The only 
place it is mentioned is in the default list of nsTransmittedControls in 
the template-dse.ldif used during new instance creation.
> Why is this so necessary?
>   
It''s not necessary, and I''m not sure where it is coming from.
Once place
might be an internal operation, but I''m not sure what internal
operation
would be doing this. You might also try to remove 
nsActiveChainingComponents and nsPossibleChainingComponents to see if 
one of those components is doing an internal operation with managedsait
set.
>   
>>>>>> Michal Rejda wrote:
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I’m trying to setup proxy on FDS to another LDAP
server (OpenLDAP
>>>>>>> and Active Directory). I tried two ways, but none
of these works:
>>>>>>>
>>>>>>> 1) New database link to LDAP server.
>>>>>>>
>>>>>>> - The remote LDAP server (OpenLDAP) returns: null.
manageDSAit
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> control
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> value not found
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> You might have to tweak the controls used by chaining -
see
>>>>>> http://tinyurl.com/culeft
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> 2) Create multiple-master replication and setup
other server as
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> consumer.
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> - But this show error: 255 Replication error
acquiring replica:
>>>>>>> unknown error.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Replication will only work to a SunDS, not to any other
vendor.
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> My question is: Is there way how to setup proxy to
access another
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> LDAP
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> server from Fedora DS? I know that is possible to
use AD sync,
>>>>>>>               
>> but
>>     
>>>> I
>>>>
>>>>         
>>>>>>> cannot install anything on the AD server. The
second reason why I
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> need
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> to setup proxy is to use data stored in LDAP server
(OpenLDAP,
>>>>>>> Open Direcoty Server and Active Directory) in one
place. I need
>>>>>>>               
>> to
>>     
>>>> update
>>>>
>>>>         
>>>>>>> them too. It is not necessary to synchronize
passwords.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> See also
>>>>>>
http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Thank you for reply.
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Michal
>>>>>>>
>>>>>>>
>>>>>>>               
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>