[389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem

Rich Megginson rmeggins at redhat.com
Wed Jul 29 16:09:17 UTC 2009 

Roberto Polli wrote:
> On Wednesday 29 July 2009 16:11:02 Roberto Polli wrote:
>   
>> now I'm tcpdumping, but really strange
>>     
> tcpdump says the requests made by the local to the remote are almost identical 
>
> both contains the user proxied (uid=admin)
> both contains the controls (proxy and loop detection)
> 2.16.840.1.113730.3.4.12
> 1.3.6.1.4.1.1466.29539.12 
>
> packages are:
> fedora-ds-1.1.2-1.fc6
> fedora-ds-base-1.1.3-2.fc6
>   

Does this give any useful information?  
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Configuring_Directory_Databases-Creating_and_Maintaining_Database_Links.html#Creating_and_Maintaining_Database_Links-Database_Links_and_Access_Control_Evaluation
>
> Peace, 
> R.
>
>   
>> old details down.
>> Peace,
>> R.
>>
>>     
>>> Roberto Polli wrote:
>>>       
>>>> On Thursday 23 July 2009 19:10:26 Rich Megginson wrote:> >>> case1)
>>>>
>>>>         
>>>>>>>> * I bind with uid=admin to the local DS tree to modify the
>>>>>>>> "givenName" of a user on the remote server
>>>>>>>> * the modify is successful, as the uid=admin is proxied and the
>>>>>>>> "uid=admin" is replicated on the remote server
>>>>>>>>
>>>>>>>> case2)
>>>>>>>> * same as case1 but I try to modify "userPassword"
>>>>>>>> * the modify fails as the remote server won't evaluate aci on
>>>>>>>> "uid=admin" but on "dn:proxyuser"
>>>>>>>>                 
>>>>> So the user uid=admin - is that the Directory Manager (rootdn)?
>>>>>           
>>>> no
>>>>
>>>>         
>>>>> is it a member of roledn = "ldap:///cn=SA role,dc=babel,dc=it"?
>>>>>           
>>>> yes, and it can modify users' attribute, but password
>>>>
>>>>         
>>>>> Does roledn = "ldap:///cn=SA role,dc=babel,dc=it" exist on both the
>>>>> local and remote servers?
>>>>>           
>>>> yes
>>>>
>>>>
>>>> it seems that when I try to modify userPassword, the reference to
>>>> uid=admin is not forwarded and only the proxyuser rights are used..
>>>>         
>>> I suppose you could turn on ACL summary logging to see what's going on.
>>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
>>>
>>>       
>>>> Peace,
>>>> R.
>>>>         
>
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20090729/7b6a203f/attachment.bin>

More information about the 389-users mailing list