[Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO
Rich Megginson
rmeggins at redhat.com
Fri Mar 6 16:10:09 UTC 2015
On 03/06/2015 09:01 AM, Herwono W Wijaya wrote:
> this result from
> #strings /usr/lib/openldap/slapd | grep "1.3.6.1.4"
Sorry, I should have been much more explicit about what you need to do:
1) Are you a VMWare customer with a paid support contract? If so, then
contact VMWare support - ask them which LDAP controls vCenter knows
about and which ones it can expect in an LDAP response.
2) Look for LDAP Control OIDs in the _vCenter_ code, not the openldap
code. I can't help you here - I don't have vCenter, and I have no idea
what the code/binary layout looks like on disk. For example, here is a
list of well known LDAP Control OIDs:
https://www.ldap.com/ldap-oid-reference - scroll down to OIDs for Controls
>
> On 3/6/15 10:40 PM, Rich Megginson wrote:
>> On 03/06/2015 07:54 AM, Herwono W Wijaya wrote:
>>> FreeIPA logs:
>>> [06/Mar/2015:21:51:15 +0700] conn=30 op=0 BIND
>>> dn="uid=admin,cn=users,cn=compat,dc=server,dc=local" method=128
>>> version=3
>>> [06/Mar/2015:21:51:15 +0700] conn=30 op=0 RESULT err=0 tag=97
>>> nentries=0 etime=0
>>> dn="uid=admin,cn=users,cn=accounts,dc=server,dc=local"
>>> [06/Mar/2015:21:51:15 +0700] conn=30 op=1 SRCH
>>> base="cn=users,cn=compat,dc=server,dc=local" scope=2
>>> filter="(objectClass=inetOrgPerson)" attrs="uid description
>>> givenName sn mail useraccountcontrol pwdaccountlockedtime entryuuid"
>>> [06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101
>>> nentries=2 etime=0 notes=P
>>> [06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND
>>> [06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1
>>>
>>> vCenter SSO error:
>>> Error: Idm client exception: Control not found
>>
>> There's no error log debug level which will give us all of the
>> controls received by the server or all of the controls sent back by
>> the server. The TRACE level will give us some information.
>>
>> But the problem appears to be that vCenter is expecting some
>> control. There is no way we can tell what control that might be by
>> analyzing the LDAP protocol, even with wireshark. If the vCenter
>> documentation does not suffice, and VMWare support is not
>> forthcoming, then we might be able to reverse engineer the code. For
>> example, search the code, if scripts, or use something like the
>> "strings" command on binaries, to look for well known OID prefixes.
>>
>> For example, from dirsrv:
>> # strings /usr/lib64/lib/dirsrv/libslapd.so.0.0.0|grep "1.3.6.1.4"
>> 1.3.6.1.4.1.1466.115.121.1.34
>> 1.3.6.1.4.1.1466.115.121.1.12
>> 1.3.6.1.4.1.1466.115.121.1.15
>> 1.3.6.1.4.1.42.2.27.8.5.1
>> 1.3.6.1.4.1.42.2.27.9.5.2
>> ...
>>
>> If we can narrow down the list of possible control OIDs that vCenter
>> knows about, we can perhaps figure out if 389 supports them.
>>
>>>
>>> On 3/6/15 8:45 PM, Herwono W Wijaya wrote:
>>>> sorry my mistake, okay I'll check slapd log files and try to figure
>>>> out what happened
>>>>
>>>> On 3/6/15 8:43 PM, Martin Kosek wrote:
>>>>> This is the directory on FreeIPA server that the vCenter is
>>>>> authenticating useres against.
>>>>>
>>>>> On 03/06/2015 02:40 PM, Herwono W Wijaya wrote:
>>>>>> there is no directory "/var/log/dirsrv/" in 5.5u2b version
>>>>>>
>>>>>> On 3/6/15 8:34 PM, Gianluca Cecchi wrote:
>>>>>>> On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek <mkosek at redhat.com
>>>>>>> <mailto:mkosek at redhat.com>> wrote:
>>>>>>>
>>>>>>> Ah, I am not sure what control do they mean.
>>>>>>>
>>>>>>> But in general, when, it is always interesting to check the
>>>>>>> LDAP access
>>>>>>> logs to see the last failed request and then try the same
>>>>>>> search with
>>>>>>> ldapsearch and fix things.
>>>>>>>
>>>>>>> Martin
>>>>>>>
>>>>>>>
>>>>>>> see my previous e-mail:
>>>>>>>
>>>>>>> /var/log/dirsrv/slapd-REALM-NAME/
>>>>>>>
>>>>>>> contains log and you will see which kind of queries vSphere is
>>>>>>> doing.
>>>>>>>
>>>>>>> Gianluca
>>>>>>
>>>>>> --
>>>>>> Regards, Herwono W Wijaya https://linuxcoding.org | *VMware
>>>>>> vExpert 2014, 2015
>>>>>> <https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr>*
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> --
>>>> Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert
>>>> 2014, 2015
>>>> <https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr>*
>>>>
>>>>
>>>>
>>>
>>> --
>>> Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert
>>> 2014, 2015
>>> <https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr>*
>>>
>>>
>>>
>>
>>
>>
>
> --
> Regards,
> Herwono W Wijaya
> https://linuxcoding.org | *VMware vExpert 2014, 2015
> <https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr>*
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150306/1d3feea8/attachment.htm>
More information about the Freeipa-users
mailing list