[Freeipa-users] FreeIPA and vSphere

Serhii Honchar heralt at gmail.com
Wed Dec 14 16:34:35 UTC 2016 

Alexander,
as per RFC2696 in such case:
---

If the server does not support this control, the server
   MUST return an error of unsupportedCriticalExtension if the client
   requested it as critical,

---
So  in case slapi-nis plugin doesn't support "paged results control", it is
quite incorrect to absolutely ignore control regardless of their
"criticality". To comply with RFC2696 slapi-nis plugin shall reply
with "unsupportedCriticalExtension"
error in such cases. Am i right?


ср, 14 груд. 2016 о 18:24 Alexander Bokovoy <abokovoy at redhat.com> пише:

> On ke, 14 joulu 2016, Serhii Honchar wrote:
> >Hello,
> >
> >trying to get vSphere authenticate users using FreeIPA.
> >I've made scheme changes as recommended in howto
> >http://www.freeipa.org/page/HowTo/vsphere5_integration.
> >But then faced following issue:
> >Vsphere using "pagedResultsControl" and sets it's criticality to "True" on
> >all it's requests to LDAP server:
> >---
> >Lightweight Directory Access Protocol
> >    LDAPMessage searchRequest(2) "cn=users,cn=compat,dc=XXX,dc=XXX"
> >wholeSubtree
> >        messageID: 2
> >        protocolOp: searchRequest (3)
> >        [Response In: 17]
> > *       controls: 1 item *
> >*            Control *
> >*                controlType: 1.2.840.113556.1.4.319
> (pagedResultsControl) *
> >*                criticality: True *
> >*                SearchControlValue *
> >*                    size: 100 *
> >*                    cookie: <MISSING> *
> >---
> >
> >When requesting from "cn=accounts" subtree things go ok, and reply also
> >contain "pagedResultsControl" block:
> >---
> >Lightweight Directory Access Protocol
> >    LDAPMessage searchResDone(2) success [1 result]
> >        messageID: 2
> >        protocolOp: searchResDone (5)
> >            searchResDone
> >                resultCode: success (0)
> >                matchedDN:
> >                errorMessage:
> >        [Response To: 15]
> >        [Time: 0.065699000 seconds]
> >  *      controls: 1 item*
> >*            Control*
> >*                controlType: 1.2.840.113556.1.4.319
> (pagedResultsControl)*
> >*                SearchControlValue*
> >*                    size: 0*
> >*                    cookie: <MISSING>*
> >---
> >and vSphere accepts the results of such queries without any problem,
> except
> >the fact that there are no some required attributes in objects in this
> >subtree.
> >
> >But on same requests to "cn=compat" subtree (where all required attributes
> >added) something goest wrong, and replies doesn't contain
> >"pagedResultsControl" block (the result set itself is identical, absence
> of
> >controls block is only difference) :
> That's correct because slapi-nis plugin does not support paged results
> control for the virtual subtree.
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161214/1ca97647/attachment.htm>

More information about the Freeipa-users mailing list