[389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem
Roberto Polli
rpolli at babel.it
Wed Jul 29 16:04:27 UTC 2009
On Wednesday 29 July 2009 16:11:02 Roberto Polli wrote:
> now I'm tcpdumping, but really strange
tcpdump says the requests made by the local to the remote are almost identical
both contains the user proxied (uid=admin)
both contains the controls (proxy and loop detection)
2.16.840.1.113730.3.4.12
1.3.6.1.4.1.1466.29539.12
packages are:
fedora-ds-1.1.2-1.fc6
fedora-ds-base-1.1.3-2.fc6
Peace,
R.
>
> old details down.
> Peace,
> R.
>
> > Roberto Polli wrote:
> > > On Thursday 23 July 2009 19:10:26 Rich Megginson wrote:> >>> case1)
> > >
> > >>>>> * I bind with uid=admin to the local DS tree to modify the
> > >>>>> "givenName" of a user on the remote server
> > >>>>> * the modify is successful, as the uid=admin is proxied and the
> > >>>>> "uid=admin" is replicated on the remote server
> > >>>>>
> > >>>>> case2)
> > >>>>> * same as case1 but I try to modify "userPassword"
> > >>>>> * the modify fails as the remote server won't evaluate aci on
> > >>>>> "uid=admin" but on "dn:proxyuser"
> > >>
> > >> So the user uid=admin - is that the Directory Manager (rootdn)?
> > >
> > > no
> > >
> > >> is it a member of roledn = "ldap:///cn=SA role,dc=babel,dc=it"?
> > >
> > > yes, and it can modify users' attribute, but password
> > >
> > >> Does roledn = "ldap:///cn=SA role,dc=babel,dc=it" exist on both the
> > >> local and remote servers?
> > >
> > > yes
> > >
> > >
> > > it seems that when I try to modify userPassword, the reference to
> > > uid=admin is not forwarded and only the proxyuser rights are used..
> >
> > I suppose you could turn on ACL summary logging to see what's going on.
> > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
> >
> > > Peace,
> > > R.
--
Roberto Polli
Babel S.r.l. - http://www.babel.it
Tel. +39.06.91801075 - fax +39.06.91612446
Tel. cel +39.340.6522736
P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma)
"Il seguente messaggio contiene informazioni riservate. Qualora questo
messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene
notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio
erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto
della legge in materia di protezione dei dati personali."
More information about the 389-users
mailing list