[389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem

Rich Megginson rmeggins at redhat.com
Wed Jul 15 17:02:37 UTC 2009 

Giovanni Mancuso wrote:
> Hi,
>
> i try to configure 2 Directory Server with db link.
>
> I have first DS that point to second DS that have DB in filesystem.
>
> I create a proxy user in second DS:
>
> # tproxy, config
> dn: uid=tproxy,cn=config
> uid: tproxy
> givenName: test
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> sn: proxy
> cn: test proxy
> userPassword:: *********************************************
>
> and i create in first DS the "Dababase link" that use this user to 
> bind in second DS.
>
> In second DS i add the following aci:
What entry did you add this aci to?
>
> (targetattr = "*") (target = "ldap:///dc=example,dc=com") (version 
> 3.0;acl "AciChepermettetutto";allow (all)(userdn = 
> "ldap:///uid=tproxy,cn=config");)
you should not need this aci
>
> (targetattr = "*") (target = "ldap:///dc=example,dc=com") (version 
> 3.0;acl "proxy acl";allow (proxy)(userdn = 
> "ldap:///uid=tproxy,cn=config");)
This is the correct aci
>
> Bu if i try to execute the ldapserach in first directory server i have 
> the following error:
proxy does not currently work with directory manager.  Directory manager 
is considered a "local" user to each directory server.  Try a different 
user.
>
> dapsearch -h localhost -x -p 20389 -D "cn=Directory Manager" -w 
> ********* -b "dc=example,dc=com" "(objectclass=*)"
> # extended LDIF
> #
> # LDAPv3
> # base <dc=example,dc=com> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 53 Server is unwilling to perform
> text: Proxy dn should not be rootdn
>
> # numResponses: 1
>
> If i enable verbose logging in my error log i have:
>
> [15/Jul/2009:18:44:47 +0200] - activity on 65r
> [15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit() 
> conn=0xb1557d68, handle=3
> [15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit() 
> returning NO VALUE      
> [15/Jul/2009:18:44:47 +0200] - read activity on 
> 65                                           
> [15/Jul/2009:18:44:47 +0200] - 
> add_pb                                                        
> [15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit() 
> conn=0xb1557c08, handle=3
> [15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit() 
> returning NO VALUE      
> [15/Jul/2009:18:44:47 +0200] - 
> get_pb                                                        
> [15/Jul/2009:18:44:47 +0200] - conn 1 activity level = 
> 2                                     
> [15/Jul/2009:18:44:47 +0200] - conn 1 turbo rank = 2 out of 3 
> conns                          
> [15/Jul/2009:18:44:47 +0200] - 
> do_search                                                     
> [15/Jul/2009:18:44:47 +0200] - => 
> get_filter_internal                                        
> [15/Jul/2009:18:44:47 +0200] - 
> PRESENT                                                       
> [15/Jul/2009:18:44:47 +0200] - <= get_filter_internal 
> 0                                      
> [15/Jul/2009:18:44:47 +0200] get_filter - before optimize: 
> (objectClass=*)                   
> [15/Jul/2009:18:44:47 +0200] get_filter -  after optimize: 
> (objectClass=*)                   
> [15/Jul/2009:18:44:47 +0200] - SRCH base="dc=example,dc=com" scope=2 
> deref=0 sizelimit=0 timelimit=0 attrsonly=0 filter="(objectClass=*)" 
> attrs=ALL
> [15/Jul/2009:18:44:47 +0200] - => 
> get_ldapmessage_controls                                                                                         
>
> [15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for 
> 2.16.840.1.113730.3.4.2)                                                      
>
> [15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND)
> [15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for 
> 1.3.6.1.4.1.42.2.27.8.5.1)
> [15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND)
> [15/Jul/2009:18:44:48 +0200] - <= get_ldapmessage_controls 2 controls
> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 
> 2.16.840.1.113730.3.4.3)
> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 
> 2.16.840.1.113730.3.4.20)
> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 
> 2.16.840.1.113730.3.4.14)
> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 
> 1.3.6.1.4.1.42.2.27.9.5.2)
> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
> [15/Jul/2009:18:44:48 +0200] - mapping tree selected backend : example
> [15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit() 
> conn=0xb1557cb8, handle=2
> [15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit() 
> returning NO VALUE
> [15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit() 
> conn=0xb1557cb8, handle=1
> [15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit() 
> returning NO VALUE
> [15/Jul/2009:18:44:48 +0200] - => compute_limits: sizelimit=2000, 
> timelimit=3600
> [15/Jul/2009:18:44:48 +0200] - Calling plugin 'ACL preoperation' #1 
> type 403
> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 
> 2.16.840.1.113730.3.4.12)
> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 1 (FOUND)
> [15/Jul/2009:18:44:48 +0200] - => send_ldap_result 53::Proxy dn should 
> not be rootdn
> [15/Jul/2009:18:44:48 +0200] - flush_ber() wrote 43 bytes to socket 65
> [15/Jul/2009:18:44:48 +0200] - <= send_ldap_result
> [15/Jul/2009:18:44:48 +0200] - mapping tree release backend : example
> [15/Jul/2009:18:44:48 +0200] - slapi_filter_free type 0x87
> [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() 
> conn=0xb1557d68, handle=3
> [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() 
> returning NO VALUE
> [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() 
> conn=0xb1557cb8, handle=3
> [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() 
> returning NO VALUE
> [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() 
> conn=0xb1557c08, handle=3
> [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() 
> returning NO VALUE
> [15/Jul/2009:18:44:49 +0200] - listener got signaled
> [15/Jul/2009:18:44:53 +0200] - Event id a19b958 called at 1247676293 
> (scheduled for 1247676293)
> [15/Jul/2009:18:44:55 +0200] - ldbm backend flushing
> [15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing
> [15/Jul/2009:18:44:55 +0200] - ldbm backend flushing
> [15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing
>
> The problem seems the "ACL preoperation" plugin. Indeed if i disable 
> this plugin, it WORKS.
> But i cannot disable this plugin.
>
> Any ideas to solve the problem??
>
> Thanks and sorry in advance for my bad English
> //
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090715/10e29b3d/attachment.bin>

More information about the Fedora-directory-users mailing list