[Fedora-directory-users] LDAP proxy
Michal Rejda
mrejda at kerio.com
Wed Apr 22 12:26:45 UTC 2009
> Michal Rejda wrote:
> >> Michal Rejda wrote:
> >>
> >>>> Michal Rejda wrote:
> >>>>
> >>>>
> >>>>>> Michal Rejda wrote:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>> Michal Rejda wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>> -----Original Message-----
> >>>>>>>>>> From: fedora-directory-users-bounces at redhat.com
> >>>>>>>>>>
> >> [mailto:fedora-
> >>
> >>>>>>>>>> directory-users-bounces at redhat.com] On Behalf Of Rich
> >>>>>>>>>>
> >> Megginson
> >>
> >>>>>>>>>> Sent: Tuesday, April 14, 2009 4:25 PM
> >>>>>>>>>> To: General discussion list for the Fedora Directory server
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>> project.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>> Subject: Re: [Fedora-directory-users] LDAP proxy
> >>>>>>>>>>
> >>>>>>>>>> Michal Rejda wrote:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>> I tried to use http://tinyurl.com/culeft. But the database
> >>>>>>>>>>> link
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>> doesn't work. I setup the database link to the Active
> >>>>>>>>>>
> >> Directory
> >>
> >>>>>>>>>>
> >>>>>> (and
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>> OpenLDAP). When I looked into Wireshark log, FDS send search
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>> request
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>> with controls:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>> 2.16.840.1.113730.3.4.2
> >>>>>>>>>>> 2.16.840.1.113730.3.4.12
> >>>>>>>>>>> And the AD server responded: Unavailable Critical
> Extension.
> >>>>>>>>>>>
> >>>>>>>>>>> I tried to remove this two controls from Database Link
> >>>>>>>>>>> Settings
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>> (in
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>> administration console) but it didn't help. The server
> didn't
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>> return
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>> the message above, but the administrative console show error
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>> dialog.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>> What error?
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>> I tried it again and the error message is exactly:
> >>>>>>>>>
> >>>>>>>>> Error fading object 'dn: dc=example, dc=com'.
> >>>>>>>>> The error send by the server was:
> >>>>>>>>> ".
> >>>>>>>>>
> >>>>>>>>> In the Whireshark log was still the search request witch
> >>>>>>>>>
> >> control:
> >>
> >>>>>>>>> 2.16.840.1.113730.3.4.2
> >>>>>>>>>
> >>>>>>>>> Why is this control needed by the server when I removed it
> >>>>>>>>> from
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>> Database link settings?
> >>>>>>>>
> >>>>>>>> I'm not sure - maybe the console is not working correctly. Try
> >>>>>>>>
> >>>>>>>>
> >>>> this:
> >>>>
> >>>>
> >>>>>>>> 1) Shutdown the server
> >>>>>>>> 2) cd /etc/dirsrv/slapd-yourinstance
> >>>>>>>> 3) edit dse.ldif - look for the entry
> >>>>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config
> >>>>>>>> 4) edit the nsTransmittedControls attribute - remove
> >>>>>>>> 2.16.840.1.113730.3.4.2
> >>>>>>>> 5) save and restart the server
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>> I looked into dse.ldif for a nsTransmittedControls attribute.
> >>>>>>> There
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic
> >>>>>> 2.16.840.1.113730.3.4.2.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> Isn't the 2.16.840.1.113730.3.4.2 hardcoded?
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> If it is, I don't see it. There is no mention of managedsa or
> >>>>>> 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code.
> >>>>>> The only place it is mentioned is in the default list of
> >>>>>> nsTransmittedControls in the template-dse.ldif used during new
> >>>>>> instance creation.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> Why is this so necessary?
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> It's not necessary, and I'm not sure where it is coming from.
> >>>>>> Once place might be an internal operation, but I'm not sure what
> >>>>>> internal operation would be doing this. You might also try to
> >>>>>> remove nsActiveChainingComponents and
> >>>>>> nsPossibleChainingComponents to see
> >>>>>>
> >>>>>>
> >>>> if
> >>>>
> >>>>
> >>>>>> one of those components is doing an internal operation with
> >>>>>> managedsait set.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>> I removed nsActiveChainingComponents and
> >>>>> nsPossibleChainingComponents
> >>>>>
> >>>>>
> >>>> and it didn't help.
> >>>>
> >>>> Then I'm not sure where it's coming from. I suppose you could
> >>>> enable tracing in the directory server and see if there is
> anything
> >>>> interesting in the error log - see
> >>>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
> >>>>
> >>>>
> >>> In the attachment is the part of the server error log. I removed
> all
> >>> messages before I click on the exclamation mark before the DN in
> the
> >>> Fedora administration console -> Directory folder tab. I don't
> >>> understand this log. It is helpful for you?
> >>>
> >>>
> >>>
> >> Ah, I see. You are using the console to try to browse the AD tree?
> >> And you are using the console admin user "admin"? Try ldapsearch
> from
> >> the command line, and attempt to authenticate as an AD user (e.g.
> >> cn=administrator,cn=users,dc=example,dc=com).
> >>
> >
> > Yes, you are right. I use the console to browse AD tree. But I do
> this because there is attention marker before the root suffix (lib-
> w2k3r2) in the Directory tab and I just double click on it.
> > I tried ldapsearch using AD user (Administrator). I'm able to login
> but the ldapsearch don't show any results (I use Apache Directory
> Studio). When I looked into Whireshark log, I now see that another
> critical extension is missing: 2.16.840.1.113730.3.4.12. The log is in
> the attachment.
> >
> Make sure 2.16.840.1.113730.3.4.12 is not in the transmitted controls.
> Set nsProxiedAuthorization to 0 - that should make it not use
> 2.16.840.1.113730.3.4.12 which is the proxyauth control.
It works. Thank you very much! I can connect to the AD and list users and whatever I want.
I have one more difficulty. When I send ldapmodify to the node in the AD, FDS add to this request two more attributes (modifiersname, modifytimestamp). AD don't know these attributes and returns the error (errorMessage: 00000057: LdapErr: DSID-0C090A85, comment: Error in attribute conversion operation, data 0, vece). Is it possible to disable this functionality or rewrite attributes name into AD attributes name (e.g. modifytimestamp -> whenChanged)? I cannot change AD schema.
> >
> >>>>>>>>>>>> Michal Rejda wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>> Hi all,
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> I’m trying to setup proxy on FDS to another LDAP server
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>> (OpenLDAP
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>>>>> and Active Directory). I tried two ways, but none of
> these
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>> works:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>>>>> 1) New database link to LDAP server.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> - The remote LDAP server (OpenLDAP) returns: null.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>> manageDSAit
> >>>>
> >>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>> control
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>> value not found
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>> You might have to tweak the controls used by chaining -
> see
> >>>>>>>>>>>> http://tinyurl.com/culeft
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>> 2) Create multiple-master replication and setup other
> >>>>>>>>>>>>>
> >> server
> >>
> >>>>>>>>>>>>> as
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>> consumer.
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>> - But this show error: 255 Replication error acquiring
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>> replica:
> >>>>
> >>>>
> >>>>>>>>>>>>> unknown error.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>> Replication will only work to a SunDS, not to any other
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>> vendor.
> >>>>
> >>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>> My question is: Is there way how to setup proxy to access
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>> another
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>>>> LDAP
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>> server from Fedora DS? I know that is possible to use AD
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>> sync,
> >>>>
> >>>>
> >>>>>>>> but
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>> I
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>>>> cannot install anything on the AD server. The second
> >>>>>>>>>>>>> reason why
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>> I
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>>>> need
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>> to setup proxy is to use data stored in LDAP server
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>> (OpenLDAP,
> >>>>
> >>>>
> >>>>>>>>>>>>> Open Direcoty Server and Active Directory) in one place.
> I
> >>>>>>>>>>>>> need
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>> to
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>> update
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>>>> them too. It is not necessary to synchronize passwords.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>> See also
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>
> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>>>>>>> Thank you for reply.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Regards,
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Michal
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>> --
> >>>>>>> Fedora-directory-users mailing list
> >>>>>>> Fedora-directory-users at redhat.com
> >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>> --
> >>>>> Fedora-directory-users mailing list
> >>>>> Fedora-directory-users at redhat.com
> >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>>>
> >>>>>
> >>>>>
> >>> -------------------------------------------------------------------
> -
> >>> -
> >>>
> >> -
> >>
> >>> --
> >>>
> >>> --
> >>> Fedora-directory-users mailing list
> >>> Fedora-directory-users at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>
> >>>
> >
> >
> > ---------------------------------------------------------------------
> -
> > --
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: errors.log
Type: application/octet-stream
Size: 7054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090422/1d3ce471/attachment.obj>
More information about the Fedora-directory-users
mailing list