[Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

Rich Megginson rmeggins at redhat.com
Fri Mar 6 16:10:09 UTC 2015 

On 03/06/2015 09:01 AM, Herwono W Wijaya wrote:
> this result from
> #strings /usr/lib/openldap/slapd | grep "1.3.6.1.4"

Sorry, I should have been much more explicit about what you need to do:

1) Are you a VMWare customer with a paid support contract?  If so, then 
contact VMWare support - ask them which LDAP controls vCenter knows 
about and which ones it can expect in an LDAP response.

2) Look for LDAP Control OIDs in the _vCenter_ code, not the openldap 
code.  I can't help you here - I don't have vCenter, and I have no idea 
what the code/binary layout looks like on disk.  For example, here is a 
list of well known LDAP Control OIDs: 
https://www.ldap.com/ldap-oid-reference - scroll down to OIDs for Controls

>
> On 3/6/15 10:40 PM, Rich Megginson wrote:
>> On 03/06/2015 07:54 AM, Herwono W Wijaya wrote:
>>> FreeIPA logs:
>>> [06/Mar/2015:21:51:15 +0700] conn=30 op=0 BIND 
>>> dn="uid=admin,cn=users,cn=compat,dc=server,dc=local" method=128 
>>> version=3
>>> [06/Mar/2015:21:51:15 +0700] conn=30 op=0 RESULT err=0 tag=97 
>>> nentries=0 etime=0 
>>> dn="uid=admin,cn=users,cn=accounts,dc=server,dc=local"
>>> [06/Mar/2015:21:51:15 +0700] conn=30 op=1 SRCH 
>>> base="cn=users,cn=compat,dc=server,dc=local" scope=2 
>>> filter="(objectClass=inetOrgPerson)" attrs="uid description 
>>> givenName sn mail useraccountcontrol pwdaccountlockedtime entryuuid"
>>> [06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101 
>>> nentries=2 etime=0 notes=P
>>> [06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND
>>> [06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1
>>>
>>> vCenter SSO error:
>>> Error: Idm client exception: Control not found
>>
>> There's no error log debug level which will give us all of the 
>> controls received by the server or all of the controls sent back by 
>> the server.  The TRACE level will give us some information.
>>
>> But the problem appears to be that vCenter is expecting some 
>> control.  There is no way we can tell what control that might be by 
>> analyzing the LDAP protocol, even with wireshark.  If the vCenter 
>> documentation does not suffice, and VMWare support is not 
>> forthcoming, then we might be able to reverse engineer the code.  For 
>> example, search the code, if scripts, or use something like the 
>> "strings" command on binaries, to look for well known OID prefixes.
>>
>> For example, from dirsrv:
>> # strings /usr/lib64/lib/dirsrv/libslapd.so.0.0.0|grep "1.3.6.1.4"
>> 1.3.6.1.4.1.1466.115.121.1.34
>> 1.3.6.1.4.1.1466.115.121.1.12
>> 1.3.6.1.4.1.1466.115.121.1.15
>> 1.3.6.1.4.1.42.2.27.8.5.1
>> 1.3.6.1.4.1.42.2.27.9.5.2
>> ...
>>
>> If we can narrow down the list of possible control OIDs that vCenter 
>> knows about, we can perhaps figure out if 389 supports them.
>>
>>>
>>> On 3/6/15 8:45 PM, Herwono W Wijaya wrote:
>>>> sorry my mistake, okay I'll check slapd log files and try to figure 
>>>> out what happened
>>>>
>>>> On 3/6/15 8:43 PM, Martin Kosek wrote:
>>>>> This is the directory on FreeIPA server that the vCenter is 
>>>>> authenticating useres against.
>>>>>
>>>>> On 03/06/2015 02:40 PM, Herwono W Wijaya wrote:
>>>>>> there is no directory "/var/log/dirsrv/" in 5.5u2b version
>>>>>>
>>>>>> On 3/6/15 8:34 PM, Gianluca Cecchi wrote:
>>>>>>> On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek <mkosek at redhat.com
>>>>>>> <mailto:mkosek at redhat.com>> wrote:
>>>>>>>
>>>>>>>     Ah, I am not sure what control do they mean.
>>>>>>>
>>>>>>>     But in general, when, it is always interesting to check the 
>>>>>>> LDAP access
>>>>>>>     logs to see the last failed request and then try the same 
>>>>>>> search with
>>>>>>>     ldapsearch and fix things.
>>>>>>>
>>>>>>>     Martin
>>>>>>>
>>>>>>>
>>>>>>> see my previous e-mail:
>>>>>>>
>>>>>>> /var/log/dirsrv/slapd-REALM-NAME/
>>>>>>>
>>>>>>> contains log and you will see which kind of queries vSphere is 
>>>>>>> doing.
>>>>>>>
>>>>>>> Gianluca
>>>>>>
>>>>>> -- 
>>>>>> Regards, Herwono W Wijaya https://linuxcoding.org | *VMware 
>>>>>> vExpert 2014, 2015
>>>>>> <https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr>* 
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> -- 
>>>> Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 
>>>> 2014, 2015 
>>>> <https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr>* 
>>>>
>>>>
>>>>
>>>
>>> -- 
>>> Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert 
>>> 2014, 2015 
>>> <https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr>* 
>>>
>>>
>>>
>>
>>
>>
>
> -- 
> Regards,
> Herwono W Wijaya
> https://linuxcoding.org | *VMware vExpert 2014, 2015 
> <https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr>* 
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150306/1d3feea8/attachment.htm>

More information about the Freeipa-users mailing list