[Freeipa-users] FreeIPA and vSphere

Serhii Honchar heralt at gmail.com
Wed Dec 14 15:59:02 UTC 2016


Hello,

trying to get vSphere authenticate users using FreeIPA.
I've made scheme changes as recommended in howto
http://www.freeipa.org/page/HowTo/vsphere5_integration.
But then faced following issue:
Vsphere using "pagedResultsControl" and sets it's criticality to "True" on
all it's requests to LDAP server:
---
Lightweight Directory Access Protocol
    LDAPMessage searchRequest(2) "cn=users,cn=compat,dc=XXX,dc=XXX"
wholeSubtree
        messageID: 2
        protocolOp: searchRequest (3)
        [Response In: 17]
 *       controls: 1 item *
*            Control *
*                controlType: 1.2.840.113556.1.4.319 (pagedResultsControl) *
*                criticality: True *
*                SearchControlValue *
*                    size: 100 *
*                    cookie: <MISSING> *
---

When requesting from "cn=accounts" subtree things go ok, and reply also
contain "pagedResultsControl" block:
---
Lightweight Directory Access Protocol
    LDAPMessage searchResDone(2) success [1 result]
        messageID: 2
        protocolOp: searchResDone (5)
            searchResDone
                resultCode: success (0)
                matchedDN:
                errorMessage:
        [Response To: 15]
        [Time: 0.065699000 seconds]
  *      controls: 1 item*
*            Control*
*                controlType: 1.2.840.113556.1.4.319 (pagedResultsControl)*
*                SearchControlValue*
*                    size: 0*
*                    cookie: <MISSING>*
---
and vSphere accepts the results of such queries without any problem, except
the fact that there are no some required attributes in objects in this
subtree.

But on same requests to "cn=compat" subtree (where all required attributes
added) something goest wrong, and replies doesn't contain
"pagedResultsControl" block (the result set itself is identical, absence of
controls block is only difference) :
---
Lightweight Directory Access Protocol
    LDAPMessage searchResDone(2) success [1 result]
        messageID: 2
        protocolOp: searchResDone (5)
        [Response To: 15]
        [Time: 0.001349000 seconds]
---

Thus vSphere doesn't accept the results of queries to "cn=compat" subtree
regardless of their results.
Such behavior also seems to be violating RFC2696 which stands:
---

If the server does not support this control, the server
   MUST return an error of unsupportedCriticalExtension if the client
   requested it as critical, otherwise the server SHOULD ignore the
   control. The remainder of this section assumes the server does not
   ignore the client's pagedResultsControl.

   Each time the server returns a set of results to the client when
   processing a search request containing the pagedResultsControl, the
   server includes the pagedResultsControl control in the
   searchResultDone message.

---

Please help me to find the answers for following questions:
1) why the replies for the requests to "cn=compat" subtree don't contain
controls block?
2) is it possible to configure ns-slapd/slapi-nis to force replies for
queries to "cn=compat" subtree either to return a unsupportedCriticalExtension
or to contain a valid control block in case when the request contains
controls with "criticality" set to "True"?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161214/82df96e2/attachment.htm>


More information about the Freeipa-users mailing list