Michal Rejda wrote:>> Michal Rejda wrote:
>>
>>>> Michal Rejda wrote:
>>>>
>>>>
>>>>>> Michal Rejda wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>> Michal Rejda wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>> Michal Rejda wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>> From:
fedora-directory-users-bounces@redhat.com
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>> [mailto:fedora-
>>>>
>>>>
>>>>>>>>>>>>
directory-users-bounces@redhat.com] On Behalf Of Rich
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>> Megginson
>>>>
>>>>
>>>>>>>>>>>> Sent: Tuesday, April 14, 2009
4:25 PM
>>>>>>>>>>>> To: General discussion list for
the Fedora Directory server
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>> project.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>> Subject: Re:
[Fedora-directory-users] LDAP proxy
>>>>>>>>>>>>
>>>>>>>>>>>> Michal Rejda wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> I tried to use
http://tinyurl.com/culeft. But the database
>>>>>>>>>>>>> link
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> doesn''t work. I setup
the database link to the Active
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>> Directory
>>>>
>>>>
>>>>>>>> (and
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>> OpenLDAP). When I looked into
Wireshark log, FDS send search
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>> request
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>> with controls:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> 2.16.840.1.113730.3.4.2
>>>>>>>>>>>>> 2.16.840.1.113730.3.4.12
>>>>>>>>>>>>> And the AD server
responded: Unavailable Critical
>>>>>>>>>>>>>
>> Extension.
>>
>>>>>>>>>>>>> I tried to remove this two
controls from Database Link
>>>>>>>>>>>>> Settings
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>> (in
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>> administration console) but it
didn''t help. The server
>>>>>>>>>>>>
>> didn''t
>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>> return
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>> the message above, but the
administrative console show error
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>> dialog.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>> What error?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> I tried it again and the error
message is exactly:
>>>>>>>>>>>
>>>>>>>>>>> Error fading object ''dn:
dc=example, dc=com''.
>>>>>>>>>>> The error send by the server was:
>>>>>>>>>>> ".
>>>>>>>>>>>
>>>>>>>>>>> In the Whireshark log was still the
search request witch
>>>>>>>>>>>
>>>>>>>>>>>
>>>> control:
>>>>
>>>>
>>>>>>>>>>> 2.16.840.1.113730.3.4.2
>>>>>>>>>>>
>>>>>>>>>>> Why is this control needed by the
server when I removed it
>>>>>>>>>>> from
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> Database link settings?
>>>>>>>>>>
>>>>>>>>>> I''m not sure - maybe the
console is not working correctly. Try
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>> this:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>> 1) Shutdown the server
>>>>>>>>>> 2) cd /etc/dirsrv/slapd-yourinstance
>>>>>>>>>> 3) edit dse.ldif - look for the entry
>>>>>>>>>> dn: cn=config,cn=chaining
database,cn=plugins,cn=config
>>>>>>>>>> 4) edit the nsTransmittedControls
attribute - remove
>>>>>>>>>> 2.16.840.1.113730.3.4.2
>>>>>>>>>> 5) save and restart the server
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> I looked into dse.ldif for a
nsTransmittedControls attribute.
>>>>>>>>> There
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> is only the 1.3.6.1.4.1.1466.29539.12. , not
the problematic
>>>>>>>> 2.16.840.1.113730.3.4.2.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Isn''t the 2.16.840.1.113730.3.4.2
hardcoded?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> If it is, I don''t see it. There is no
mention of managedsa or
>>>>>>>> 2.16.840.1.113730.3.4.2 anywhere in the
chaining backend code.
>>>>>>>> The only place it is mentioned is in the
default list of
>>>>>>>> nsTransmittedControls in the template-dse.ldif
used during new
>>>>>>>> instance creation.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Why is this so necessary?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> It''s not necessary, and I''m
not sure where it is coming from.
>>>>>>>> Once place might be an internal operation, but
I''m not sure what
>>>>>>>> internal operation would be doing this. You
might also try to
>>>>>>>> remove nsActiveChainingComponents and
>>>>>>>> nsPossibleChainingComponents to see
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>> if
>>>>>>
>>>>>>
>>>>>>
>>>>>>>> one of those components is doing an internal
operation with
>>>>>>>> managedsait set.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> I removed nsActiveChainingComponents and
>>>>>>> nsPossibleChainingComponents
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> and it didn''t help.
>>>>>>
>>>>>> Then I''m not sure where it''s coming
from. I suppose you could
>>>>>> enable tracing in the directory server and see if there
is
>>>>>>
>> anything
>>
>>>>>> interesting in the error log - see
>>>>>>
http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
>>>>>>
>>>>>>
>>>>>>
>>>>> In the attachment is the part of the server error log. I
removed
>>>>>
>> all
>>
>>>>> messages before I click on the exclamation mark before the
DN in
>>>>>
>> the
>>
>>>>> Fedora administration console -> Directory folder tab. I
don''t
>>>>> understand this log. It is helpful for you?
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Ah, I see. You are using the console to try to browse the AD
tree?
>>>> And you are using the console admin user "admin"? Try
ldapsearch
>>>>
>> from
>>
>>>> the command line, and attempt to authenticate as an AD user
(e.g.
>>>> cn=administrator,cn=users,dc=example,dc=com).
>>>>
>>>>
>>> Yes, you are right. I use the console to browse AD tree. But I do
>>>
>> this because there is attention marker before the root suffix (lib-
>> w2k3r2) in the Directory tab and I just double click on it.
>>
>>> I tried ldapsearch using AD user (Administrator). I''m able
to login
>>>
>> but the ldapsearch don''t show any results (I use Apache
Directory
>> Studio). When I looked into Whireshark log, I now see that another
>> critical extension is missing: 2.16.840.1.113730.3.4.12. The log is in
>> the attachment.
>>
>> Make sure 2.16.840.1.113730.3.4.12 is not in the transmitted controls.
>> Set nsProxiedAuthorization to 0 - that should make it not use
>> 2.16.840.1.113730.3.4.12 which is the proxyauth control.
>>
>
> It works. Thank you very much! I can connect to the AD and list users and
whatever I want.
> I have one more difficulty. When I send ldapmodify to the node in the AD,
FDS add to this request two more attributes (modifiersname, modifytimestamp). AD
don''t know these attributes and returns the error (errorMessage:
00000057: LdapErr: DSID-0C090A85, comment: Error in attribute conversion
operation, data 0, vece). Is it possible to disable this functionality
Yes. This is the nsslapd-lastmod attribute in cn=config - set this to
0> or rewrite attributes name into AD attributes name (e.g. modifytimestamp
-> whenChanged)? I cannot change AD schema.
>
No, it''s not possible to map it.
BTW, I would really appreciate it if you could write up something for
the wiki about "using chaining to create an AD
''view''" - if you would
rather just send me the info in an email, that would be fine
too.>
>>>>>>>>>>>>>> Michal Rejda wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi all,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I’m trying to setup
proxy on FDS to another LDAP server
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>> (OpenLDAP
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>>>>> and Active
Directory). I tried two ways, but none of
>>>>>>>>>>>>>>>
>> these
>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>> works:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>>>>> 1) New database
link to LDAP server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> - The remote LDAP
server (OpenLDAP) returns: null.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>> manageDSAit
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> control
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> value not found
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> You might have to tweak
the controls used by chaining -
>>>>>>>>>>>>>>
>> see
>>
>>>>>>>>>>>>>>
http://tinyurl.com/culeft
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 2) Create
multiple-master replication and setup other
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>> server
>>>>
>>>>
>>>>>>>>>>>>>>> as
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> consumer.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> - But this show
error: 255 Replication error acquiring
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>> replica:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>>>>>>> unknown error.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Replication will only
work to a SunDS, not to any other
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>> vendor.
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> My question is: Is
there way how to setup proxy to access
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>> another
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>>>> LDAP
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> server from Fedora
DS? I know that is possible to use AD
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>> sync,
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>> but
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>> I
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>>> cannot install
anything on the AD server. The second
>>>>>>>>>>>>>>> reason why
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>> I
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>>>> need
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> to setup proxy is
to use data stored in LDAP server
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>> (OpenLDAP,
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>>>>>>> Open Direcoty
Server and Active Directory) in one place.
>>>>>>>>>>>>>>>
>> I
>>
>>>>>>>>>>>>>>> need
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>> to
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>> update
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>>> them too. It is not
necessary to synchronize passwords.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> See also
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration
>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>>>>> Thank you for
reply.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Michal
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>> --
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users@redhat.com
>>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
-------------------------------------------------------------------
>>>>>
>> -
>>
>>>>> -
>>>>>
>>>>>
>>>> -
>>>>
>>>>
>>>>> --
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users@redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
>>>>>
>>>>>
>>>
---------------------------------------------------------------------
>>>
>> -
>>
>>> --
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>