[Fedora-directory-users] LDAP proxy
Rich Megginson
rmeggins at redhat.com
Wed Apr 22 13:25:12 UTC 2009
Michal Rejda wrote:
>> Michal Rejda wrote:
>>
>>>> Michal Rejda wrote:
>>>>
>>>>
>>>>>> Michal Rejda wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>> Michal Rejda wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>> Michal Rejda wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>> From: fedora-directory-users-bounces at redhat.com
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>> [mailto:fedora-
>>>>
>>>>
>>>>>>>>>>>> directory-users-bounces at redhat.com] On Behalf Of Rich
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>> Megginson
>>>>
>>>>
>>>>>>>>>>>> Sent: Tuesday, April 14, 2009 4:25 PM
>>>>>>>>>>>> To: General discussion list for the Fedora Directory server
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>> project.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>> Subject: Re: [Fedora-directory-users] LDAP proxy
>>>>>>>>>>>>
>>>>>>>>>>>> Michal Rejda wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> I tried to use http://tinyurl.com/culeft. But the database
>>>>>>>>>>>>> link
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> doesn't work. I setup the database link to the Active
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>> Directory
>>>>
>>>>
>>>>>>>> (and
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>> OpenLDAP). When I looked into Wireshark log, FDS send search
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>> request
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>> with controls:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> 2.16.840.1.113730.3.4.2
>>>>>>>>>>>>> 2.16.840.1.113730.3.4.12
>>>>>>>>>>>>> And the AD server responded: Unavailable Critical
>>>>>>>>>>>>>
>> Extension.
>>
>>>>>>>>>>>>> I tried to remove this two controls from Database Link
>>>>>>>>>>>>> Settings
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>> (in
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>> administration console) but it didn't help. The server
>>>>>>>>>>>>
>> didn't
>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>> return
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>> the message above, but the administrative console show error
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>> dialog.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>> What error?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> I tried it again and the error message is exactly:
>>>>>>>>>>>
>>>>>>>>>>> Error fading object 'dn: dc=example, dc=com'.
>>>>>>>>>>> The error send by the server was:
>>>>>>>>>>> ".
>>>>>>>>>>>
>>>>>>>>>>> In the Whireshark log was still the search request witch
>>>>>>>>>>>
>>>>>>>>>>>
>>>> control:
>>>>
>>>>
>>>>>>>>>>> 2.16.840.1.113730.3.4.2
>>>>>>>>>>>
>>>>>>>>>>> Why is this control needed by the server when I removed it
>>>>>>>>>>> from
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> Database link settings?
>>>>>>>>>>
>>>>>>>>>> I'm not sure - maybe the console is not working correctly. Try
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>> this:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>> 1) Shutdown the server
>>>>>>>>>> 2) cd /etc/dirsrv/slapd-yourinstance
>>>>>>>>>> 3) edit dse.ldif - look for the entry
>>>>>>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config
>>>>>>>>>> 4) edit the nsTransmittedControls attribute - remove
>>>>>>>>>> 2.16.840.1.113730.3.4.2
>>>>>>>>>> 5) save and restart the server
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> I looked into dse.ldif for a nsTransmittedControls attribute.
>>>>>>>>> There
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic
>>>>>>>> 2.16.840.1.113730.3.4.2.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Isn't the 2.16.840.1.113730.3.4.2 hardcoded?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> If it is, I don't see it. There is no mention of managedsa or
>>>>>>>> 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code.
>>>>>>>> The only place it is mentioned is in the default list of
>>>>>>>> nsTransmittedControls in the template-dse.ldif used during new
>>>>>>>> instance creation.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Why is this so necessary?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> It's not necessary, and I'm not sure where it is coming from.
>>>>>>>> Once place might be an internal operation, but I'm not sure what
>>>>>>>> internal operation would be doing this. You might also try to
>>>>>>>> remove nsActiveChainingComponents and
>>>>>>>> nsPossibleChainingComponents to see
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>> if
>>>>>>
>>>>>>
>>>>>>
>>>>>>>> one of those components is doing an internal operation with
>>>>>>>> managedsait set.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> I removed nsActiveChainingComponents and
>>>>>>> nsPossibleChainingComponents
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> and it didn't help.
>>>>>>
>>>>>> Then I'm not sure where it's coming from. I suppose you could
>>>>>> enable tracing in the directory server and see if there is
>>>>>>
>> anything
>>
>>>>>> interesting in the error log - see
>>>>>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
>>>>>>
>>>>>>
>>>>>>
>>>>> In the attachment is the part of the server error log. I removed
>>>>>
>> all
>>
>>>>> messages before I click on the exclamation mark before the DN in
>>>>>
>> the
>>
>>>>> Fedora administration console -> Directory folder tab. I don't
>>>>> understand this log. It is helpful for you?
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Ah, I see. You are using the console to try to browse the AD tree?
>>>> And you are using the console admin user "admin"? Try ldapsearch
>>>>
>> from
>>
>>>> the command line, and attempt to authenticate as an AD user (e.g.
>>>> cn=administrator,cn=users,dc=example,dc=com).
>>>>
>>>>
>>> Yes, you are right. I use the console to browse AD tree. But I do
>>>
>> this because there is attention marker before the root suffix (lib-
>> w2k3r2) in the Directory tab and I just double click on it.
>>
>>> I tried ldapsearch using AD user (Administrator). I'm able to login
>>>
>> but the ldapsearch don't show any results (I use Apache Directory
>> Studio). When I looked into Whireshark log, I now see that another
>> critical extension is missing: 2.16.840.1.113730.3.4.12. The log is in
>> the attachment.
>>
>> Make sure 2.16.840.1.113730.3.4.12 is not in the transmitted controls.
>> Set nsProxiedAuthorization to 0 - that should make it not use
>> 2.16.840.1.113730.3.4.12 which is the proxyauth control.
>>
>
> It works. Thank you very much! I can connect to the AD and list users and whatever I want.
> I have one more difficulty. When I send ldapmodify to the node in the AD, FDS add to this request two more attributes (modifiersname, modifytimestamp). AD don't know these attributes and returns the error (errorMessage: 00000057: LdapErr: DSID-0C090A85, comment: Error in attribute conversion operation, data 0, vece). Is it possible to disable this functionality
Yes. This is the nsslapd-lastmod attribute in cn=config - set this to 0
> or rewrite attributes name into AD attributes name (e.g. modifytimestamp -> whenChanged)? I cannot change AD schema.
>
No, it's not possible to map it.
BTW, I would really appreciate it if you could write up something for
the wiki about "using chaining to create an AD 'view'" - if you would
rather just send me the info in an email, that would be fine too.
>
>>>>>>>>>>>>>> Michal Rejda wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi all,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I’m trying to setup proxy on FDS to another LDAP server
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>> (OpenLDAP
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>>>>> and Active Directory). I tried two ways, but none of
>>>>>>>>>>>>>>>
>> these
>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>> works:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>>>>> 1) New database link to LDAP server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> - The remote LDAP server (OpenLDAP) returns: null.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>> manageDSAit
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> control
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> value not found
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> You might have to tweak the controls used by chaining -
>>>>>>>>>>>>>>
>> see
>>
>>>>>>>>>>>>>> http://tinyurl.com/culeft
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 2) Create multiple-master replication and setup other
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>> server
>>>>
>>>>
>>>>>>>>>>>>>>> as
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> consumer.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> - But this show error: 255 Replication error acquiring
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>> replica:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>>>>>>> unknown error.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Replication will only work to a SunDS, not to any other
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>> vendor.
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> My question is: Is there way how to setup proxy to access
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>> another
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>>>> LDAP
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> server from Fedora DS? I know that is possible to use AD
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>> sync,
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>> but
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>> I
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>>> cannot install anything on the AD server. The second
>>>>>>>>>>>>>>> reason why
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>> I
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>>>> need
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> to setup proxy is to use data stored in LDAP server
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>> (OpenLDAP,
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>>>>>>> Open Direcoty Server and Active Directory) in one place.
>>>>>>>>>>>>>>>
>> I
>>
>>>>>>>>>>>>>>> need
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>> to
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>> update
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>>> them too. It is not necessary to synchronize passwords.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> See also
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration
>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>>>>>> Thank you for reply.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Michal
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>> --
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>> -------------------------------------------------------------------
>>>>>
>> -
>>
>>>>> -
>>>>>
>>>>>
>>>> -
>>>>
>>>>
>>>>> --
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
>>>>>
>>>>>
>>> ---------------------------------------------------------------------
>>>
>> -
>>
>>> --
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090422/277ff373/attachment.bin>
More information about the Fedora-directory-users
mailing list