<div dir="ltr">Hello,<div><br><div>trying to get vSphere authenticate users using FreeIPA.</div><div>I've made scheme changes as recommended in howto <a href="http://www.freeipa.org/page/HowTo/vsphere5_integration">http://www.freeipa.org/page/HowTo/vsphere5_integration</a>.</div><div>But then faced following issue:</div><div>Vsphere using "pagedResultsControl" and sets it's criticality to "True" on all it's requests to LDAP server:<br><div>---<br>Lightweight Directory Access Protocol
</div><div> LDAPMessage searchRequest(2) "cn=users,cn=compat,dc=XXX,dc=XXX" wholeSubtree
</div><div> messageID: 2
</div><div> protocolOp: searchRequest (3)
</div><div> [Response In: 17]
</div><div> <i><b> controls: 1 item
</b></i></div><div><i><b> Control
</b></i></div><div><i><b> controlType: 1.2.840.113556.1.4.319 (pagedResultsControl)
</b></i></div><div><i><b> <font color="#ff0000">criticality: True
</font></b></i></div><div><i><b> SearchControlValue
</b></i></div><div><i><b> size: 100
</b></i></div><div><i><b> cookie: <MISSING> </b></i></div></div><div>---</div><div><br></div><div>When requesting from "cn=accounts" subtree things go ok, and reply also contain "pagedResultsControl" block:<br>---</div><div><div>Lightweight Directory Access Protocol</div><div> LDAPMessage searchResDone(2) success [1 result]</div><div> messageID: 2</div><div> protocolOp: searchResDone (5)</div><div> searchResDone</div><div> resultCode: success (0)</div><div> matchedDN: </div><div> errorMessage: </div><div> [Response To: 15]</div><div> [Time: 0.065699000 seconds]</div><div> <i><b> controls: 1 item</b></i></div><div><i><b> Control</b></i></div><div><i><b> controlType: 1.2.840.113556.1.4.319 (pagedResultsControl)</b></i></div><div><i><b> SearchControlValue</b></i></div><div><i><b> size: 0</b></i></div><div><i><b> cookie: <MISSING></b></i></div><div>---</div></div><div>and vSphere accepts the results of such queries without any problem, except the fact that there are no some required attributes in objects in this subtree.</div><div><br></div><div>But on same requests to "cn=compat" subtree (where all required attributes added) something goest wrong, and replies doesn't contain "pagedResultsControl" block (the result set itself is identical, absence of controls block is only difference) :<br></div><div>---</div><div><div>Lightweight Directory Access Protocol</div><div> LDAPMessage searchResDone(2) success [1 result]</div><div> messageID: 2</div><div> protocolOp: searchResDone (5)</div><div> [Response To: 15]</div><div> [Time: 0.001349000 seconds]</div></div><div>---</div><div><br></div><div>Thus vSphere doesn't accept the results of queries to "cn=compat" subtree regardless of their results. </div><div>Such behavior also seems to be violating RFC2696 which stands:</div><div>---</div><div><pre style="word-wrap:break-word;white-space:pre-wrap">If the server does not support this control, the server
MUST return an error of unsupportedCriticalExtension if the client
requested it as critical, otherwise the server SHOULD ignore the
control. The remainder of this section assumes the server does not
ignore the client's pagedResultsControl.
Each time the server returns a set of results to the client when
processing a search request containing the pagedResultsControl, the
server includes the pagedResultsControl control in the
searchResultDone message.</pre></div><div>--- </div><div><br></div><div>Please help me to find the answers for following questions:</div><div>1) why the replies for the requests to "cn=compat" subtree don't contain controls block?</div><div>2) is it possible to configure ns-slapd/slapi-nis to force replies for queries to "cn=compat" subtree either to return a <span style="white-space:pre-wrap">unsupportedCriticalExtension or to contain a valid control block in case when the request contains controls with "criticality" set to "True"?</span></div><div><span style="white-space:pre-wrap"><br></span></div><div><span style="white-space:pre-wrap"><br></span></div><div><br></div></div></div>