[Fedora-directory-users] LDAP proxy

Michal Rejda mrejda at kerio.com
Fri Apr 17 10:13:05 UTC 2009 

> Michal Rejda wrote:
> >> Michal Rejda wrote:
> >>
> >>>> -----Original Message-----
> >>>> From: fedora-directory-users-bounces at redhat.com [mailto:fedora-
> >>>> directory-users-bounces at redhat.com] On Behalf Of Rich Megginson
> >>>> Sent: Tuesday, April 14, 2009 4:25 PM
> >>>> To: General discussion list for the Fedora Directory server
> project.
> >>>> Subject: Re: [Fedora-directory-users] LDAP proxy
> >>>>
> >>>> Michal Rejda wrote:
> >>>>
> >>>>
> >>>>> I tried to use http://tinyurl.com/culeft. But the database link
> >>>>>
> >>>>>
> >>>> doesn't work. I setup the database link to the Active Directory
> (and
> >>>> OpenLDAP). When I looked into Wireshark log, FDS send search
> request
> >>>> with controls:
> >>>>
> >>>>
> >>>>> 	2.16.840.1.113730.3.4.2
> >>>>> 	2.16.840.1.113730.3.4.12
> >>>>> And the AD server responded: Unavailable Critical Extension.
> >>>>>
> >>>>> I tried to remove this two controls from Database Link Settings
> (in
> >>>>>
> >>>>>
> >>>> administration console) but it didn't help. The server didn't
> return
> >>>> the message above, but the administrative console show error
> dialog.
> >>>>
> >>>> What error?
> >>>>
> >>>>
> >>> I tried it again and the error message is exactly:
> >>>
> >>> Error fading object 'dn: dc=example, dc=com'.
> >>> The error send by the server was:
> >>> ".
> >>>
> >>> In the Whireshark log was still the search request witch control:
> >>> 	2.16.840.1.113730.3.4.2
> >>>
> >>> Why is this control needed by the server when I removed it from
> >>>
> >> Database link settings?
> >>
> >> I'm not sure - maybe the console is not working correctly. Try this:
> >> 1) Shutdown the server
> >> 2) cd /etc/dirsrv/slapd-yourinstance
> >> 3) edit dse.ldif - look for the entry
> >> dn: cn=config,cn=chaining database,cn=plugins,cn=config
> >> 4) edit the nsTransmittedControls attribute - remove
> >> 2.16.840.1.113730.3.4.2
> >> 5) save and restart the server
> >>
> >
> > I looked into dse.ldif for a nsTransmittedControls attribute. There
> is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic
> 2.16.840.1.113730.3.4.2.
> > Isn't the 2.16.840.1.113730.3.4.2 hardcoded?
> If it is, I don't see it. There is no mention of managedsa or
> 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code. The only
> place it is mentioned is in the default list of nsTransmittedControls
> in
> the template-dse.ldif used during new instance creation.
> > Why is this so necessary?
> >
> It's not necessary, and I'm not sure where it is coming from. Once
> place
> might be an internal operation, but I'm not sure what internal
> operation
> would be doing this. You might also try to remove
> nsActiveChainingComponents and nsPossibleChainingComponents to see if
> one of those components is doing an internal operation with managedsait
> set.

I removed nsActiveChainingComponents and nsPossibleChainingComponents and it didn't  help.

> >
> >>>>>> Michal Rejda wrote:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> Hi all,
> >>>>>>>
> >>>>>>> I’m trying to setup proxy on FDS to another LDAP server
> (OpenLDAP
> >>>>>>> and Active Directory). I tried two ways, but none of these
> works:
> >>>>>>>
> >>>>>>> 1) New database link to LDAP server.
> >>>>>>>
> >>>>>>> - The remote LDAP server (OpenLDAP) returns: null. manageDSAit
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> control
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> value not found
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> You might have to tweak the controls used by chaining - see
> >>>>>> http://tinyurl.com/culeft
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> 2) Create multiple-master replication and setup other server as
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> consumer.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> - But this show error: 255 Replication error acquiring replica:
> >>>>>>> unknown error.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> Replication will only work to a SunDS, not to any other vendor.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> My question is: Is there way how to setup proxy to access
> another
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> LDAP
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> server from Fedora DS? I know that is possible to use AD sync,
> >>>>>>>
> >> but
> >>
> >>>> I
> >>>>
> >>>>
> >>>>>>> cannot install anything on the AD server. The second reason why
> I
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> need
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> to setup proxy is to use data stored in LDAP server (OpenLDAP,
> >>>>>>> Open Direcoty Server and Active Directory) in one place. I need
> >>>>>>>
> >> to
> >>
> >>>> update
> >>>>
> >>>>
> >>>>>>> them too. It is not necessary to synchronize passwords.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> See also
> >>>>>>
> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> Thank you for reply.
> >>>>>>>
> >>>>>>> Regards,
> >>>>>>>
> >>>>>>> Michal
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >
> >
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
>

More information about the 389-users mailing list