<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Rich Megginson wrote:
<blockquote cite="mid:4A5E0BAD.7030600@redhat.com" type="cite">Giovanni
Mancuso wrote:
<br>
<blockquote type="cite">Hi,
<br>
<br>
i try to configure 2 Directory Server with db link.
<br>
<br>
I have first DS that point to second DS that have DB in filesystem.
<br>
<br>
I create a proxy user in second DS:
<br>
<br>
# tproxy, config
<br>
dn: uid=tproxy,cn=config
<br>
uid: tproxy
<br>
givenName: test
<br>
objectClass: top
<br>
objectClass: person
<br>
objectClass: organizationalPerson
<br>
objectClass: inetorgperson
<br>
sn: proxy
<br>
cn: test proxy
<br>
userPassword:: *********************************************
<br>
<br>
and i create in first DS the "Dababase link" that use this user to bind
in second DS.
<br>
<br>
In second DS i add the following aci:
<br>
</blockquote>
What entry did you add this aci to?
<br>
</blockquote>
I add the aci in root suffix (dc=example,dc=com)<br>
<blockquote cite="mid:4A5E0BAD.7030600@redhat.com" type="cite">
<blockquote type="cite"><br>
(targetattr = "*") (target = "ldap:///dc=example,dc=com") (version
3.0;acl "AciChepermettetutto";allow (all)(userdn =
"ldap:///uid=tproxy,cn=config");)
<br>
</blockquote>
you should not need this aci</blockquote>
Ok i delete this aci.<br>
<blockquote cite="mid:4A5E0BAD.7030600@redhat.com" type="cite"><br>
<blockquote type="cite"><br>
(targetattr = "*") (target = "ldap:///dc=example,dc=com") (version
3.0;acl "proxy acl";allow (proxy)(userdn =
"ldap:///uid=tproxy,cn=config");)
<br>
</blockquote>
This is the correct aci
<br>
<blockquote type="cite"><br>
Bu if i try to execute the ldapserach in first directory server i have
the following error:
<br>
</blockquote>
proxy does not currently work with directory manager. Directory
manager is considered a "local" user to each directory server. Try a
different user.
<br>
</blockquote>
Now, i create a new user in first DS:<br>
<br>
dn: uid=ttestuser,cn=config<br>
uid: testuser<br>
givenName: test<br>
objectClass: top<br>
objectClass: person<br>
objectClass: organizationalPerson<br>
objectClass: inetorgperson<br>
sn: user<br>
cn: test user<br>
userPassword: *********<br>
<br>
And if i try, to run ldapsearch with this user it works:<br>
<br>
ldapsearch -LLL -s base -h localhost -x -p 20389 -D
"uid=ttestuser,cn=config" -w ********* -b "dc=example,dc=com"
"(objectclass=*)"<br>
dn: dc=example,dc=com<br>
dc: example<br>
objectClass: top<br>
objectClass: domain<br>
<br>
The problem now is if i try to execute add in first directory server.<br>
<br>
I create the following ldif:<br>
<br>
cat /tmp/tempuser.ldif<br>
dn: uid=conaltroustente,node=testgio,dc=example,dc=com<br>
uid: conaltroustente<br>
givenName: conaltroustente<br>
objectClass: top<br>
objectClass: person<br>
objectClass: organizationalPerson<br>
objectClass: inetorgperson<br>
sn: dsdsds<br>
cn: pippopidddssd dsdsds<br>
<br>
And i try to run:<br>
<br>
ldapmodify -a -h localhost -x -p 20389 -D "uid=ttestuser,cn=config" -w
*********** -f /tmp/tempuser.ldif<br>
adding new entry "uid=conaltroustente,node=testgio,dc=example,dc=com"<br>
ldap_add: Insufficient access (50)<br>
additional info: Insufficient 'add' privilege to add the entry
'uid=conaltroustente,node=testgio,dc=example,dc=com'.<br>
<br>
Any ideas??<br>
<br>
<blockquote cite="mid:4A5E0BAD.7030600@redhat.com" type="cite">
<blockquote type="cite"><br>
dapsearch -h localhost -x -p 20389 -D "cn=Directory Manager" -w
********* -b "dc=example,dc=com" "(objectclass=*)"
<br>
# extended LDIF
<br>
#
<br>
# LDAPv3
<br>
# base <dc=example,dc=com> with scope subtree
<br>
# filter: (objectclass=*)
<br>
# requesting: ALL
<br>
#
<br>
<br>
# search result
<br>
search: 2
<br>
result: 53 Server is unwilling to perform
<br>
text: Proxy dn should not be rootdn
<br>
<br>
# numResponses: 1
<br>
<br>
If i enable verbose logging in my error log i have:
<br>
<br>
[15/Jul/2009:18:44:47 +0200] - activity on 65r
<br>
[15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit()
conn=0xb1557d68, handle=3
<br>
[15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit()
returning NO VALUE [15/Jul/2009:18:44:47 +0200] - read activity on
65 [15/Jul/2009:18:44:47
+0200] - add_pb
[15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit()
conn=0xb1557c08, handle=3
<br>
[15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit()
returning NO VALUE [15/Jul/2009:18:44:47 +0200] -
get_pb
[15/Jul/2009:18:44:47 +0200] - conn 1 activity level =
2 [15/Jul/2009:18:44:47 +0200] -
conn 1 turbo rank = 2 out of 3 conns
[15/Jul/2009:18:44:47 +0200] -
do_search
[15/Jul/2009:18:44:47 +0200] - =>
get_filter_internal
[15/Jul/2009:18:44:47 +0200] -
PRESENT
[15/Jul/2009:18:44:47 +0200] - <= get_filter_internal
0 [15/Jul/2009:18:44:47 +0200]
get_filter - before optimize: (objectClass=*)
[15/Jul/2009:18:44:47 +0200] get_filter - after optimize:
(objectClass=*) [15/Jul/2009:18:44:47 +0200] - SRCH
base="dc=example,dc=com" scope=2 deref=0 sizelimit=0 timelimit=0
attrsonly=0 filter="(objectClass=*)" attrs=ALL
<br>
[15/Jul/2009:18:44:47 +0200] - =>
get_ldapmessage_controls
<br>
[15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for
2.16.840.1.113730.3.4.2)
<br>
[15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT
FOUND)
<br>
[15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for
1.3.6.1.4.1.42.2.27.8.5.1)
<br>
[15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT
FOUND)
<br>
[15/Jul/2009:18:44:48 +0200] - <= get_ldapmessage_controls 2
controls
<br>
[15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for
2.16.840.1.113730.3.4.3)
<br>
[15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT
FOUND)
<br>
[15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for
2.16.840.1.113730.3.4.20)
<br>
[15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT
FOUND)
<br>
[15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for
2.16.840.1.113730.3.4.14)
<br>
[15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT
FOUND)
<br>
[15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for
1.3.6.1.4.1.42.2.27.9.5.2)
<br>
[15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT
FOUND)
<br>
[15/Jul/2009:18:44:48 +0200] - mapping tree selected backend : example
<br>
[15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit()
conn=0xb1557cb8, handle=2
<br>
[15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit()
returning NO VALUE
<br>
[15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit()
conn=0xb1557cb8, handle=1
<br>
[15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit()
returning NO VALUE
<br>
[15/Jul/2009:18:44:48 +0200] - => compute_limits: sizelimit=2000,
timelimit=3600
<br>
[15/Jul/2009:18:44:48 +0200] - Calling plugin 'ACL preoperation' #1
type 403
<br>
[15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for
2.16.840.1.113730.3.4.12)
<br>
[15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 1 (FOUND)
<br>
[15/Jul/2009:18:44:48 +0200] - => send_ldap_result 53::Proxy dn
should not be rootdn
<br>
[15/Jul/2009:18:44:48 +0200] - flush_ber() wrote 43 bytes to socket 65
<br>
[15/Jul/2009:18:44:48 +0200] - <= send_ldap_result
<br>
[15/Jul/2009:18:44:48 +0200] - mapping tree release backend : example
<br>
[15/Jul/2009:18:44:48 +0200] - slapi_filter_free type 0x87
<br>
[15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit()
conn=0xb1557d68, handle=3
<br>
[15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit()
returning NO VALUE
<br>
[15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit()
conn=0xb1557cb8, handle=3
<br>
[15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit()
returning NO VALUE
<br>
[15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit()
conn=0xb1557c08, handle=3
<br>
[15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit()
returning NO VALUE
<br>
[15/Jul/2009:18:44:49 +0200] - listener got signaled
<br>
[15/Jul/2009:18:44:53 +0200] - Event id a19b958 called at 1247676293
(scheduled for 1247676293)
<br>
[15/Jul/2009:18:44:55 +0200] - ldbm backend flushing
<br>
[15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing
<br>
[15/Jul/2009:18:44:55 +0200] - ldbm backend flushing
<br>
[15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing
<br>
<br>
The problem seems the "ACL preoperation" plugin. Indeed if i disable
this plugin, it WORKS.
<br>
But i cannot disable this plugin.
<br>
<br>
Any ideas to solve the problem??
<br>
<br>
Thanks and sorry in advance for my bad English
<br>
//
<br>
<br>
------------------------------------------------------------------------
<br>
<br>
--
<br>
389 users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:389-users@redhat.com">389-users@redhat.com</a>
<br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a>
<br>
</blockquote>
<br>
<pre wrap="">
<hr size="4" width="90%">
--
389 users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:389-users@redhat.com">389-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a>
</pre>
</blockquote>
<br>
</body>
</html>