Michal Rejda wrote:
> Michal Rejda wrote:
>
>>> Michal Rejda wrote:
>>>
>>>
>>>>> -----Original Message-----
>>>>> From: fedora-directory-users-bounces(a)redhat.com [mailto:fedora-
>>>>> directory-users-bounces(a)redhat.com] On Behalf Of Rich Megginson
>>>>> Sent: Tuesday, April 14, 2009 4:25 PM
>>>>> To: General discussion list for the Fedora Directory server
>>>>>
> project.
>
>>>>> Subject: Re: [Fedora-directory-users] LDAP proxy
>>>>>
>>>>> Michal Rejda wrote:
>>>>>
>>>>>
>>>>>
>>>>>> I tried to use
http://tinyurl.com/culeft. But the database link
>>>>>>
>>>>>>
>>>>>>
>>>>> doesn't work. I setup the database link to the Active Directory
>>>>>
> (and
>
>>>>> OpenLDAP). When I looked into Wireshark log, FDS send search
>>>>>
> request
>
>>>>> with controls:
>>>>>
>>>>>
>>>>>
>>>>>> 2.16.840.1.113730.3.4.2
>>>>>> 2.16.840.1.113730.3.4.12
>>>>>> And the AD server responded: Unavailable Critical Extension.
>>>>>>
>>>>>> I tried to remove this two controls from Database Link Settings
>>>>>>
> (in
>
>>>>>>
>>>>> administration console) but it didn't help. The server
didn't
>>>>>
> return
>
>>>>> the message above, but the administrative console show error
>>>>>
> dialog.
>
>>>>> What error?
>>>>>
>>>>>
>>>>>
>>>> I tried it again and the error message is exactly:
>>>>
>>>> Error fading object 'dn: dc=example, dc=com'.
>>>> The error send by the server was:
>>>> ".
>>>>
>>>> In the Whireshark log was still the search request witch control:
>>>> 2.16.840.1.113730.3.4.2
>>>>
>>>> Why is this control needed by the server when I removed it from
>>>>
>>>>
>>> Database link settings?
>>>
>>> I'm not sure - maybe the console is not working correctly. Try this:
>>> 1) Shutdown the server
>>> 2) cd /etc/dirsrv/slapd-yourinstance
>>> 3) edit dse.ldif - look for the entry
>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config
>>> 4) edit the nsTransmittedControls attribute - remove
>>> 2.16.840.1.113730.3.4.2
>>> 5) save and restart the server
>>>
>>>
>> I looked into dse.ldif for a nsTransmittedControls attribute. There
>>
> is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic
> 2.16.840.1.113730.3.4.2.
>
>> Isn't the 2.16.840.1.113730.3.4.2 hardcoded?
>>
> If it is, I don't see it. There is no mention of managedsa or
> 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code. The only
> place it is mentioned is in the default list of nsTransmittedControls
> in
> the template-dse.ldif used during new instance creation.
>
>> Why is this so necessary?
>>
>>
> It's not necessary, and I'm not sure where it is coming from. Once
> place
> might be an internal operation, but I'm not sure what internal
> operation
> would be doing this. You might also try to remove
> nsActiveChainingComponents and nsPossibleChainingComponents to see if
> one of those components is doing an internal operation with managedsait
> set.
>
I removed nsActiveChainingComponents and nsPossibleChainingComponents and it didn't
help.
Then I'm not sure where it's coming from. I suppose you could enable
tracing in the directory server and see if there is anything interesting
in the error log - see
http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
>>>>>>> Michal Rejda wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> I’m trying to setup proxy on FDS to another LDAP server
>>>>>>>>
> (OpenLDAP
>
>>>>>>>> and Active Directory). I tried two ways, but none of
these
>>>>>>>>
> works:
>
>>>>>>>> 1) New database link to LDAP server.
>>>>>>>>
>>>>>>>> - The remote LDAP server (OpenLDAP) returns: null.
manageDSAit
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> control
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> value not found
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> You might have to tweak the controls used by chaining - see
>>>>>>>
http://tinyurl.com/culeft
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> 2) Create multiple-master replication and setup other
server as
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> consumer.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> - But this show error: 255 Replication error acquiring
replica:
>>>>>>>> unknown error.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Replication will only work to a SunDS, not to any other
vendor.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> My question is: Is there way how to setup proxy to
access
>>>>>>>>
> another
>
>>>>>>>>
>>>>>>>>
>>>>>>> LDAP
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> server from Fedora DS? I know that is possible to use AD
sync,
>>>>>>>>
>>>>>>>>
>>> but
>>>
>>>
>>>>> I
>>>>>
>>>>>
>>>>>
>>>>>>>> cannot install anything on the AD server. The second
reason why
>>>>>>>>
> I
>
>>>>>>>>
>>>>>>>>
>>>>>>> need
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> to setup proxy is to use data stored in LDAP server
(OpenLDAP,
>>>>>>>> Open Direcoty Server and Active Directory) in one place.
I need
>>>>>>>>
>>>>>>>>
>>> to
>>>
>>>
>>>>> update
>>>>>
>>>>>
>>>>>
>>>>>>>> them too. It is not necessary to synchronize passwords.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> See also
>>>>>>>
>>>>>>>
>
http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration
>
>>>>>>>
>>>>>>>
>>>>>>>> Thank you for reply.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>>
>>>>>>>> Michal
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users(a)redhat.com
>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users