[389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem
Rich Megginson
rmeggins at redhat.com
Wed Jul 15 22:50:01 UTC 2009
Giovanni Mancuso wrote:
> Rich Megginson wrote:
>> Giovanni Mancuso wrote:
>>> Hi,
>>>
>>> i try to configure 2 Directory Server with db link.
>>>
>>> I have first DS that point to second DS that have DB in filesystem.
>>>
>>> I create a proxy user in second DS:
>>>
>>> # tproxy, config
>>> dn: uid=tproxy,cn=config
>>> uid: tproxy
>>> givenName: test
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: inetorgperson
>>> sn: proxy
>>> cn: test proxy
>>> userPassword:: *********************************************
>>>
>>> and i create in first DS the "Dababase link" that use this user to
>>> bind in second DS.
>>>
>>> In second DS i add the following aci:
>> What entry did you add this aci to?
> I add the aci in root suffix (dc=example,dc=com)
Ok
>>>
>>> (targetattr = "*") (target = "ldap:///dc=example,dc=com") (version
>>> 3.0;acl "AciChepermettetutto";allow (all)(userdn =
>>> "ldap:///uid=tproxy,cn=config");)
>> you should not need this aci
> Ok i delete this aci.
>>
>>>
>>> (targetattr = "*") (target = "ldap:///dc=example,dc=com") (version
>>> 3.0;acl "proxy acl";allow (proxy)(userdn =
>>> "ldap:///uid=tproxy,cn=config");)
>> This is the correct aci
>>>
>>> Bu if i try to execute the ldapserach in first directory server i
>>> have the following error:
>> proxy does not currently work with directory manager. Directory
>> manager is considered a "local" user to each directory server. Try a
>> different user.
> Now, i create a new user in first DS:
By first DS do you mean the DS with the "real" database or the DS with
the database link? We also refer to the DS with the "real" database as
the "remote" DS and the DS with the database link as the "local" DS.
>
> dn: uid=ttestuser,cn=config
> uid: testuser
> givenName: test
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> sn: user
> cn: test user
> userPassword: *********
>
> And if i try, to run ldapsearch with this user it works:
>
> ldapsearch -LLL -s base -h localhost -x -p 20389 -D
> "uid=ttestuser,cn=config" -w ********* -b "dc=example,dc=com"
> "(objectclass=*)"
> dn: dc=example,dc=com
> dc: example
> objectClass: top
> objectClass: domain
>
> The problem now is if i try to execute add in first directory server.
>
> I create the following ldif:
>
> cat /tmp/tempuser.ldif
> dn: uid=conaltroustente,node=testgio,dc=example,dc=com
> uid: conaltroustente
> givenName: conaltroustente
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> sn: dsdsds
> cn: pippopidddssd dsdsds
>
> And i try to run:
>
> ldapmodify -a -h localhost -x -p 20389 -D "uid=ttestuser,cn=config" -w
> *********** -f /tmp/tempuser.ldif
> adding new entry "uid=conaltroustente,node=testgio,dc=example,dc=com"
> ldap_add: Insufficient access (50)
> additional info: Insufficient 'add' privilege to add the entry
> 'uid=conaltroustente,node=testgio,dc=example,dc=com'.
>
> Any ideas??
Did you add an ACI to allow the uid=ttestuser,cn=config to add entries
under node=testgio,dc=example,dc=com ?
>
>>>
>>> dapsearch -h localhost -x -p 20389 -D "cn=Directory Manager" -w
>>> ********* -b "dc=example,dc=com" "(objectclass=*)"
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <dc=example,dc=com> with scope subtree
>>> # filter: (objectclass=*)
>>> # requesting: ALL
>>> #
>>>
>>> # search result
>>> search: 2
>>> result: 53 Server is unwilling to perform
>>> text: Proxy dn should not be rootdn
>>>
>>> # numResponses: 1
>>>
>>> If i enable verbose logging in my error log i have:
>>>
>>> [15/Jul/2009:18:44:47 +0200] - activity on 65r
>>> [15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit()
>>> conn=0xb1557d68, handle=3
>>> [15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit()
>>> returning NO VALUE [15/Jul/2009:18:44:47 +0200] - read activity
>>> on 65
>>> [15/Jul/2009:18:44:47 +0200] -
>>> add_pb
>>> [15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit()
>>> conn=0xb1557c08, handle=3
>>> [15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit()
>>> returning NO VALUE [15/Jul/2009:18:44:47 +0200] -
>>> get_pb
>>> [15/Jul/2009:18:44:47 +0200] - conn 1 activity level =
>>> 2 [15/Jul/2009:18:44:47 +0200] -
>>> conn 1 turbo rank = 2 out of 3 conns
>>> [15/Jul/2009:18:44:47 +0200] -
>>> do_search
>>> [15/Jul/2009:18:44:47 +0200] - =>
>>> get_filter_internal
>>> [15/Jul/2009:18:44:47 +0200] -
>>> PRESENT
>>> [15/Jul/2009:18:44:47 +0200] - <= get_filter_internal
>>> 0 [15/Jul/2009:18:44:47 +0200]
>>> get_filter - before optimize: (objectClass=*)
>>> [15/Jul/2009:18:44:47 +0200] get_filter - after optimize:
>>> (objectClass=*) [15/Jul/2009:18:44:47 +0200] -
>>> SRCH base="dc=example,dc=com" scope=2 deref=0 sizelimit=0
>>> timelimit=0 attrsonly=0 filter="(objectClass=*)" attrs=ALL
>>> [15/Jul/2009:18:44:47 +0200] - =>
>>> get_ldapmessage_controls
>>>
>>> [15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for
>>> 2.16.840.1.113730.3.4.2)
>>>
>>> [15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND)
>>> [15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for
>>> 1.3.6.1.4.1.42.2.27.8.5.1)
>>> [15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND)
>>> [15/Jul/2009:18:44:48 +0200] - <= get_ldapmessage_controls 2 controls
>>> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for
>>> 2.16.840.1.113730.3.4.3)
>>> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
>>> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for
>>> 2.16.840.1.113730.3.4.20)
>>> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
>>> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for
>>> 2.16.840.1.113730.3.4.14)
>>> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
>>> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for
>>> 1.3.6.1.4.1.42.2.27.9.5.2)
>>> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND)
>>> [15/Jul/2009:18:44:48 +0200] - mapping tree selected backend : example
>>> [15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit()
>>> conn=0xb1557cb8, handle=2
>>> [15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit()
>>> returning NO VALUE
>>> [15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit()
>>> conn=0xb1557cb8, handle=1
>>> [15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit()
>>> returning NO VALUE
>>> [15/Jul/2009:18:44:48 +0200] - => compute_limits: sizelimit=2000,
>>> timelimit=3600
>>> [15/Jul/2009:18:44:48 +0200] - Calling plugin 'ACL preoperation' #1
>>> type 403
>>> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for
>>> 2.16.840.1.113730.3.4.12)
>>> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 1 (FOUND)
>>> [15/Jul/2009:18:44:48 +0200] - => send_ldap_result 53::Proxy dn
>>> should not be rootdn
>>> [15/Jul/2009:18:44:48 +0200] - flush_ber() wrote 43 bytes to socket 65
>>> [15/Jul/2009:18:44:48 +0200] - <= send_ldap_result
>>> [15/Jul/2009:18:44:48 +0200] - mapping tree release backend : example
>>> [15/Jul/2009:18:44:48 +0200] - slapi_filter_free type 0x87
>>> [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit()
>>> conn=0xb1557d68, handle=3
>>> [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit()
>>> returning NO VALUE
>>> [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit()
>>> conn=0xb1557cb8, handle=3
>>> [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit()
>>> returning NO VALUE
>>> [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit()
>>> conn=0xb1557c08, handle=3
>>> [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit()
>>> returning NO VALUE
>>> [15/Jul/2009:18:44:49 +0200] - listener got signaled
>>> [15/Jul/2009:18:44:53 +0200] - Event id a19b958 called at 1247676293
>>> (scheduled for 1247676293)
>>> [15/Jul/2009:18:44:55 +0200] - ldbm backend flushing
>>> [15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing
>>> [15/Jul/2009:18:44:55 +0200] - ldbm backend flushing
>>> [15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing
>>>
>>> The problem seems the "ACL preoperation" plugin. Indeed if i disable
>>> this plugin, it WORKS.
>>> But i cannot disable this plugin.
>>>
>>> Any ideas to solve the problem??
>>>
>>> Thanks and sorry in advance for my bad English
>>> //
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> 389 users mailing list
>> 389-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20090715/518fe31c/attachment.bin>
More information about the 389-users
mailing list