[389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem

Giovanni Mancuso suuuper at messinalug.org
Wed Jul 15 22:36:38 UTC 2009 

Rich Megginson wrote:
> Giovanni Mancuso wrote:
>> Hi,
>>
>> i try to configure 2 Directory Server with db link.
>>
>> I have first DS that point to second DS that have DB in filesystem.
>>
>> I create a proxy user in second DS:
>>
>> # tproxy, config
>> dn: uid=tproxy,cn=config
>> uid: tproxy
>> givenName: test
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: inetorgperson
>> sn: proxy
>> cn: test proxy
>> userPassword:: *********************************************
>>
>> and i create in first DS the "Dababase link" that use this user to
>> bind in second DS.
>>
>> In second DS i add the following aci:
> What entry did you add this aci to?
I add the aci in root suffix (dc=example,dc=com)
>>
>> (targetattr = "*") (target = "ldap:///dc=example,dc=com") (version
>> 3.0;acl "AciChepermettetutto";allow (all)(userdn =
>> "ldap:///uid=tproxy,cn=config");)
> you should not need this aci
Ok i delete this aci.
>
>>
>> (targetattr = "*") (target = "ldap:///dc=example,dc=com") (version
>> 3.0;acl "proxy acl";allow (proxy)(userdn =
>> "ldap:///uid=tproxy,cn=config");)
> This is the correct aci
>>
>> Bu if i try to execute the ldapserach in first directory server i
>> have the following error:
> proxy does not currently work with directory manager.  Directory
> manager is considered a "local" user to each directory server.  Try a
> different user.
Now, i create a new user in first DS:

dn: uid=ttestuser,cn=config
uid: testuser
givenName: test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: user
cn: test user
userPassword: *********

And if i try, to run ldapsearch with this user it works:

ldapsearch -LLL -s base -h localhost -x -p 20389 -D
"uid=ttestuser,cn=config" -w ********* -b "dc=example,dc=com"
"(objectclass=*)"
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain

The problem now is if i try to execute add in first directory server.

I create the following ldif:

cat /tmp/tempuser.ldif
dn: uid=conaltroustente,node=testgio,dc=example,dc=com
uid: conaltroustente
givenName: conaltroustente
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: dsdsds
cn: pippopidddssd dsdsds

And i try to run:

ldapmodify -a -h localhost -x -p 20389 -D "uid=ttestuser,cn=config" -w
*********** -f /tmp/tempuser.ldif
adding new entry "uid=conaltroustente,node=testgio,dc=example,dc=com"
ldap_add: Insufficient access (50)
        additional info: Insufficient 'add' privilege to add the entry
'uid=conaltroustente,node=testgio,dc=example,dc=com'.

Any ideas??

>>
>> dapsearch -h localhost -x -p 20389 -D "cn=Directory Manager" -w
>> ********* -b "dc=example,dc=com" "(objectclass=*)"
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=example,dc=com> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 2
>> result: 53 Server is unwilling to perform
>> text: Proxy dn should not be rootdn
>>
>> # numResponses: 1
>>
>> If i enable verbose logging in my error log i have:
>>
>> [15/Jul/2009:18:44:47 +0200] - activity on 65r
>> [15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit()
>> conn=0xb1557d68, handle=3
>> [15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit()
>> returning NO VALUE      [15/Jul/2009:18:44:47 +0200] - read activity
>> on 65                                           [15/Jul/2009:18:44:47
>> +0200] -
>> add_pb                                                       
>> [15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit()
>> conn=0xb1557c08, handle=3
>> [15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit()
>> returning NO VALUE      [15/Jul/2009:18:44:47 +0200] -
>> get_pb                                                       
>> [15/Jul/2009:18:44:47 +0200] - conn 1 activity level =
>> 2                                     [15/Jul/2009:18:44:47 +0200] -
>> conn 1 turbo rank = 2 out of 3 conns                         
>> [15/Jul/2009:18:44:47 +0200] -
>> do_search                                                    
>> [15/Jul/2009:18:44:47 +0200] - =>
>> get_filter_internal                                       
>> [15/Jul/2009:18:44:47 +0200] -
>> PRESENT                                                      
>> [15/Jul/2009:18:44:47 +0200] - <= get_filter_internal
>> 0                                      [15/Jul/2009:18:44:47 +0200]
>> get_filter - before optimize: (objectClass=*)                  
>> [15/Jul/2009:18:44:47 +0200] get_filter -  after optimize:
>> (objectClass=*)                   [15/Jul/2009:18:44:47 +0200] - SRCH
>> base="dc=example,dc=com" scope=2 deref=0 sizelimit=0 timelimit=0
>> attrsonly=0 filter="(objectClass=*)" attrs=ALL
>> [15/Jul/2009:18:44:47 +0200] - =>
>> get_ldapmessage_controls                                                                                        
>>
>> [15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for
>> 2.16.840.1.113730.3.4.2)                                                     
>>
>> [15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND)
>> [15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for
>> 1.3.6.1.4.1.42.2.27.8.5.1)
>> [15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND)
>> [15/Jul/2009:18:44:48 +0200] - <= get_ldapmessage_controls 2 controls
>> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for
>> 2.16.840.1.113730.3.4.3)
>> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
>> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for
>> 2.16.840.1.113730.3.4.20)
>> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
>> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for
>> 2.16.840.1.113730.3.4.14)
>> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
>> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for
>> 1.3.6.1.4.1.42.2.27.9.5.2)
>> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
>> [15/Jul/2009:18:44:48 +0200] - mapping tree selected backend : example
>> [15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit()
>> conn=0xb1557cb8, handle=2
>> [15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit()
>> returning NO VALUE
>> [15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit()
>> conn=0xb1557cb8, handle=1
>> [15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit()
>> returning NO VALUE
>> [15/Jul/2009:18:44:48 +0200] - => compute_limits: sizelimit=2000,
>> timelimit=3600
>> [15/Jul/2009:18:44:48 +0200] - Calling plugin 'ACL preoperation' #1
>> type 403
>> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for
>> 2.16.840.1.113730.3.4.12)
>> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 1 (FOUND)
>> [15/Jul/2009:18:44:48 +0200] - => send_ldap_result 53::Proxy dn
>> should not be rootdn
>> [15/Jul/2009:18:44:48 +0200] - flush_ber() wrote 43 bytes to socket 65
>> [15/Jul/2009:18:44:48 +0200] - <= send_ldap_result
>> [15/Jul/2009:18:44:48 +0200] - mapping tree release backend : example
>> [15/Jul/2009:18:44:48 +0200] - slapi_filter_free type 0x87
>> [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit()
>> conn=0xb1557d68, handle=3
>> [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit()
>> returning NO VALUE
>> [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit()
>> conn=0xb1557cb8, handle=3
>> [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit()
>> returning NO VALUE
>> [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit()
>> conn=0xb1557c08, handle=3
>> [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit()
>> returning NO VALUE
>> [15/Jul/2009:18:44:49 +0200] - listener got signaled
>> [15/Jul/2009:18:44:53 +0200] - Event id a19b958 called at 1247676293
>> (scheduled for 1247676293)
>> [15/Jul/2009:18:44:55 +0200] - ldbm backend flushing
>> [15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing
>> [15/Jul/2009:18:44:55 +0200] - ldbm backend flushing
>> [15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing
>>
>> The problem seems the "ACL preoperation" plugin. Indeed if i disable
>> this plugin, it WORKS.
>> But i cannot disable this plugin.
>>
>> Any ideas to solve the problem??
>>
>> Thanks and sorry in advance for my bad English
>> //
>>
>> ------------------------------------------------------------------------
>>
>> -- 
>> 389 users mailing list
>> 389-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20090716/a3ec183a/attachment.html>

More information about the 389-users mailing list