[Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
Rich Megginson
rmeggins at redhat.com
Fri Mar 6 15:40:25 UTC 2015
On 03/06/2015 07:54 AM, Herwono W Wijaya wrote:
> FreeIPA logs:
> [06/Mar/2015:21:51:15 +0700] conn=30 op=0 BIND
> dn="uid=admin,cn=users,cn=compat,dc=server,dc=local" method=128 version=3
> [06/Mar/2015:21:51:15 +0700] conn=30 op=0 RESULT err=0 tag=97
> nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=server,dc=local"
> [06/Mar/2015:21:51:15 +0700] conn=30 op=1 SRCH
> base="cn=users,cn=compat,dc=server,dc=local" scope=2
> filter="(objectClass=inetOrgPerson)" attrs="uid description givenName
> sn mail useraccountcontrol pwdaccountlockedtime entryuuid"
> [06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101
> nentries=2 etime=0 notes=P
> [06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND
> [06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1
>
> vCenter SSO error:
> Error: Idm client exception: Control not found
There's no error log debug level which will give us all of the controls
received by the server or all of the controls sent back by the server.
The TRACE level will give us some information.
But the problem appears to be that vCenter is expecting some control.
There is no way we can tell what control that might be by analyzing the
LDAP protocol, even with wireshark. If the vCenter documentation does
not suffice, and VMWare support is not forthcoming, then we might be
able to reverse engineer the code. For example, search the code, if
scripts, or use something like the "strings" command on binaries, to
look for well known OID prefixes.
For example, from dirsrv:
# strings /usr/lib64/lib/dirsrv/libslapd.so.0.0.0|grep "1.3.6.1.4"
1.3.6.1.4.1.1466.115.121.1.34
1.3.6.1.4.1.1466.115.121.1.12
1.3.6.1.4.1.1466.115.121.1.15
1.3.6.1.4.1.42.2.27.8.5.1
1.3.6.1.4.1.42.2.27.9.5.2
...
If we can narrow down the list of possible control OIDs that vCenter
knows about, we can perhaps figure out if 389 supports them.
>
> On 3/6/15 8:45 PM, Herwono W Wijaya wrote:
>> sorry my mistake, okay I'll check slapd log files and try to figure
>> out what happened
>>
>> On 3/6/15 8:43 PM, Martin Kosek wrote:
>>> This is the directory on FreeIPA server that the vCenter is
>>> authenticating useres against.
>>>
>>> On 03/06/2015 02:40 PM, Herwono W Wijaya wrote:
>>>> there is no directory "/var/log/dirsrv/" in 5.5u2b version
>>>>
>>>> On 3/6/15 8:34 PM, Gianluca Cecchi wrote:
>>>>> On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek <mkosek at redhat.com
>>>>> <mailto:mkosek at redhat.com>> wrote:
>>>>>
>>>>> Ah, I am not sure what control do they mean.
>>>>>
>>>>> But in general, when, it is always interesting to check the
>>>>> LDAP access
>>>>> logs to see the last failed request and then try the same
>>>>> search with
>>>>> ldapsearch and fix things.
>>>>>
>>>>> Martin
>>>>>
>>>>>
>>>>> see my previous e-mail:
>>>>>
>>>>> /var/log/dirsrv/slapd-REALM-NAME/
>>>>>
>>>>> contains log and you will see which kind of queries vSphere is doing.
>>>>>
>>>>> Gianluca
>>>>
>>>> --
>>>> Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert
>>>> 2014, 2015
>>>> <https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr>*
>>>>
>>>>
>>>
>>
>> --
>> Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert
>> 2014, 2015
>> <https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr>*
>>
>>
>>
>
> --
> Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert
> 2014, 2015
> <https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr>*
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150306/ba1da5aa/attachment.htm>
More information about the Freeipa-users
mailing list