<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 03/06/2015 09:01 AM, Herwono W
Wijaya wrote:<br>
</div>
<blockquote cite="mid:54F9CF6C.7050803@linuxcoding.org" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
this result from<br>
#strings /usr/lib/openldap/slapd | grep "1.3.6.1.4"<br>
</blockquote>
<br>
Sorry, I should have been much more explicit about what you need to
do:<br>
<br>
1) Are you a VMWare customer with a paid support contract? If so,
then contact VMWare support - ask them which LDAP controls vCenter
knows about and which ones it can expect in an LDAP response.<br>
<br>
2) Look for LDAP Control OIDs in the _vCenter_ code, not the
openldap code. I can't help you here - I don't have vCenter, and I
have no idea what the code/binary layout looks like on disk. For
example, here is a list of well known LDAP Control OIDs:
<a class="moz-txt-link-freetext" href="https://www.ldap.com/ldap-oid-reference">https://www.ldap.com/ldap-oid-reference</a> - scroll down to OIDs for
Controls<br>
<br>
<blockquote cite="mid:54F9CF6C.7050803@linuxcoding.org" type="cite">
<br>
<div class="moz-cite-prefix">On 3/6/15 10:40 PM, Rich Megginson
wrote:<br>
</div>
<blockquote cite="mid:54F9CA69.6040503@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 03/06/2015 07:54 AM, Herwono W
Wijaya wrote:<br>
</div>
<blockquote cite="mid:54F9BFBB.1070101@linuxcoding.org"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
FreeIPA logs:<br>
[06/Mar/2015:21:51:15 +0700] conn=30 op=0 BIND
dn="uid=admin,cn=users,cn=compat,dc=server,dc=local"
method=128 version=3<br>
[06/Mar/2015:21:51:15 +0700] conn=30 op=0 RESULT err=0 tag=97
nentries=0 etime=0
dn="uid=admin,cn=users,cn=accounts,dc=server,dc=local"<br>
[06/Mar/2015:21:51:15 +0700] conn=30 op=1 SRCH
base="cn=users,cn=compat,dc=server,dc=local" scope=2
filter="(objectClass=inetOrgPerson)" attrs="uid description
givenName sn mail useraccountcontrol pwdaccountlockedtime
entryuuid"<br>
[06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101
nentries=2 etime=0 notes=P<br>
[06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND<br>
[06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1<br>
<br>
vCenter SSO error:<br>
Error: Idm client exception: Control not found<br>
</blockquote>
<br>
There's no error log debug level which will give us all of the
controls received by the server or all of the controls sent back
by the server. The TRACE level will give us some information.<br>
<br>
But the problem appears to be that vCenter is expecting some
control. There is no way we can tell what control that might be
by analyzing the LDAP protocol, even with wireshark. If the
vCenter documentation does not suffice, and VMWare support is
not forthcoming, then we might be able to reverse engineer the
code. For example, search the code, if scripts, or use
something like the "strings" command on binaries, to look for
well known OID prefixes.<br>
<br>
For example, from dirsrv:<br>
# strings /usr/lib64/lib/dirsrv/libslapd.so.0.0.0|grep
"1.3.6.1.4"<br>
1.3.6.1.4.1.1466.115.121.1.34<br>
1.3.6.1.4.1.1466.115.121.1.12<br>
1.3.6.1.4.1.1466.115.121.1.15<br>
1.3.6.1.4.1.42.2.27.8.5.1<br>
1.3.6.1.4.1.42.2.27.9.5.2<br>
...<br>
<br>
If we can narrow down the list of possible control OIDs that
vCenter knows about, we can perhaps figure out if 389 supports
them.<br>
<br>
<blockquote cite="mid:54F9BFBB.1070101@linuxcoding.org"
type="cite"> <br>
<div class="moz-cite-prefix">On 3/6/15 8:45 PM, Herwono W
Wijaya wrote:<br>
</div>
<blockquote cite="mid:54F9AF5E.9010001@linuxcoding.org"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
sorry my mistake, okay I'll check slapd log files and try to
figure out what happened<br>
<br>
<div class="moz-cite-prefix">On 3/6/15 8:43 PM, Martin Kosek
wrote:<br>
</div>
<blockquote cite="mid:54F9AEE5.4030306@redhat.com"
type="cite">This is the directory on FreeIPA server that
the vCenter is authenticating useres against. <br>
<br>
On 03/06/2015 02:40 PM, Herwono W Wijaya wrote: <br>
<blockquote type="cite">there is no directory
"/var/log/dirsrv/" in 5.5u2b version <br>
<br>
On 3/6/15 8:34 PM, Gianluca Cecchi wrote: <br>
<blockquote type="cite">On Fri, Mar 6, 2015 at 2:12 PM,
Martin Kosek <<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>
<br>
<a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:mkosek@redhat.com"><mailto:mkosek@redhat.com></a>>
wrote: <br>
<br>
Ah, I am not sure what control do they mean. <br>
<br>
But in general, when, it is always interesting to
check the LDAP access <br>
logs to see the last failed request and then try
the same search with <br>
ldapsearch and fix things. <br>
<br>
Martin <br>
<br>
<br>
see my previous e-mail: <br>
<br>
/var/log/dirsrv/slapd-REALM-NAME/ <br>
<br>
contains log and you will see which kind of queries
vSphere is doing. <br>
<br>
Gianluca <br>
</blockquote>
<br>
-- <br>
Regards, Herwono W Wijaya <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://linuxcoding.org">https://linuxcoding.org</a>
| *VMware vExpert 2014, 2015 <br>
<a moz-do-not-send="true" class="moz-txt-link-rfc2396E"
href="https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr"><https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr></a>*
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
<div class="moz-signature">-- <br>
Regards, Herwono W Wijaya <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://linuxcoding.org">https://linuxcoding.org</a>
| <b><a moz-do-not-send="true"
href="https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr">VMware
vExpert 2014, 2015</a></b> </div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<div class="moz-signature">-- <br>
Regards, Herwono W Wijaya <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://linuxcoding.org">https://linuxcoding.org</a>
| <b><a moz-do-not-send="true"
href="https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr">VMware
vExpert 2014, 2015</a></b> </div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<div class="moz-signature">-- <br>
Regards,<br>
Herwono W Wijaya<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://linuxcoding.org">https://linuxcoding.org</a> | <b><a
moz-do-not-send="true"
href="https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr">VMware
vExpert 2014, 2015</a></b> </div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>