<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 03/06/2015 09:39 AM, Herwono W
Wijaya wrote:<br>
</div>
<blockquote cite="mid:54F9D84A.6000001@linuxcoding.org" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
vCenter SSO works well with Univention LDAP.<br>
</blockquote>
<br>
Then set up a wireshark session to capture traffic between vCenter
SSO and Univention LDAP, then do the same with vCenter SSO and IPA.
Then we can compare the TCP traffic dumps.<br>
<br>
<blockquote cite="mid:54F9D84A.6000001@linuxcoding.org" type="cite">
<br>
Here I want to make sure if FreeIPA can work with vCenter SSO,
because I read it on this page: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://www.freeipa.org/page/HowTo/vsphere5_integration">http://www.freeipa.org/page/HowTo/vsphere5_integration</a><br>
<br>
And thanks for the help and answer any questions from me. <br>
Have a nice day.<br>
<br>
<div class="moz-cite-prefix">On 3/6/15 11:23 PM, Rich Megginson
wrote:<br>
</div>
<blockquote cite="mid:54F9D496.1070302@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 03/06/2015 09:13 AM, Gianluca
Cecchi wrote:<br>
</div>
<blockquote
cite="mid:CAG2kNCxoPLDoFp-uM8f1Rda8rZt4uOBoe823sd_FepLgtjBK1w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Fri, Mar 6, 2015 at 4:40 PM,
Rich Megginson <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<blockquote type="cite"><br>
<br>
[06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT
err=0 tag=101 nentries=2 etime=0 notes=P<br>
[06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND<br>
[06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99
closed - U1<br>
<br>
vCenter SSO error:<br>
Error: Idm client exception: Control not found<br>
</blockquote>
<br>
</span> There's no error log debug level which will
give us all of the controls received by the server
or all of the controls sent back by the server. The
TRACE level will give us some information.<br>
<br>
</div>
</blockquote>
<div><br>
</div>
<div><br>
</div>
<div>Could it be that the "Control not found" somehow
related with "<span
style="color:rgb(0,0,0);white-space:pre-wrap">page
results control" as described in </span></div>
<div><a moz-do-not-send="true"
href="https://bugzilla.redhat.com/show_bug.cgi?id=558099">https://bugzilla.redhat.com/show_bug.cgi?id=558099</a><br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Could be.<br>
<blockquote
cite="mid:CAG2kNCxoPLDoFp-uM8f1Rda8rZt4uOBoe823sd_FepLgtjBK1w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>Is the "notes=P" in ipa logs a setting managed by
the server or by the type of the query done by the
client?</div>
</div>
</div>
</div>
</blockquote>
<br>
Yes. It means the client is requesting a Simple Paged Search by
using that control.<br>
<br>
<blockquote
cite="mid:CAG2kNCxoPLDoFp-uM8f1Rda8rZt4uOBoe823sd_FepLgtjBK1w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>In my past IPA 3.3.3 logs I didn't find it at the
end of the log line with nentries...</div>
</div>
</div>
</div>
</blockquote>
<br>
It has everything to do with the client. The server has
supported Simple Paged Search for a long time. Perhaps some
newer version of the client is requesting paged results?<br>
<br>
<br>
<blockquote
cite="mid:CAG2kNCxoPLDoFp-uM8f1Rda8rZt4uOBoe823sd_FepLgtjBK1w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>Just an attempt... </div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
One more thing - does vCenter work with another LDAP server,
like openldap or active directory? If so, try capturing a
wireshark trace of a successful search operation, then capture a
wireshark trace of a session using ipa, and we can compare them
to see which controls the working server is sending back that
ipa is not.<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<div class="moz-signature">-- <br>
Regards,<br>
Herwono W Wijaya<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://linuxcoding.org">https://linuxcoding.org</a> | <b><a
moz-do-not-send="true"
href="https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr">VMware
vExpert 2014, 2015</a></b> </div>
</blockquote>
<br>
</body>
</html>