Re: Ldap API Custom Controls

Mon, 11 Sep 2017 02:00:00 -0700 

Hi,
According to my experience with AD this is very hard to diagnose. AD is using "unwilling to perform" as a generic error for almost anything. Sometimes there is a AD-specific error code in the error message and that is really worth checking out. Really. Try that. But apart from this there is no way how to diagnose that properly. There seems to be no reasonable logging facility on the AD server side. I'm looking for this for years and I have found nothing so far (Microsoft support is not able help much, I've tried many times). The documentation is not very clear. 


The best method so far that I have found is to find a tool that can 
already use this control. Then use packet sniffer and compare the data 
from the tool that works with the data produced by your code. I mean 
real byte-by-byte comparison. The differences will usually point you to 
the things that are wrong.


--
Radovan Semancik
Software Architect
evolveum.com



On 09/08/2017 04:11 PM, CRAIG BENNER wrote:

Thanks Shawn, I was going to ask that.  But I got wireshark working.  Below is 
the packet I'm assuming we want to see.  In concept it looks correct, but i'm 
not sure what the controlValue is suppose to be on the wire.

Frame 9: 295 bytes on wire (2360 bits), 295 bytes captured (2360 bits) on 
interface 0
Ethernet II, Src: PcsCompu_f5:e8:94 (08:00:27:f5:e8:94), Dst: PcsCompu_4b:a3:17 
(08:00:27:4b:a3:17)
Internet Protocol Version 4, Src: 192.168.33.10, Dst: 192.168.33.11

Transmission Control Protocol, Src Port: 44766, Dst Port: 389, Seq: 45, Ack: 
46, Len: 229
Lightweight Directory Access Protocol
     LDAPMessage modifyRequest(7) 
"cn=model_ouadmin,ou=PSU-OU-Admin-Accounts,ou=PSU-AD-OU-Administration,ou=PSU-AD-Administration,dc=develop,dc=local"
         messageID: 7
         protocolOp: modifyRequest (6)
             modifyRequest
                 object: 
cn=model_ouadmin,ou=PSU-OU-Admin-Accounts,ou=PSU-AD-OU-Administration,ou=PSU-AD-Administration,dc=develop,dc=local
                 modification: 1 item
         [Response In: 10]
         controls: 1 item
             Control
                 controlType: 1.2.840.113556.1.4.2239 (ISO assigned OIDs, 
USA.113556.1.4.2239)
                 criticality: True
                 controlValue: 3003020101

Thanks.
Craig Benner

----- Original Message -----
From: "Shawn McKinney" <smckin...@apache.org>
To: "api" <api@directory.apache.org>
Sent: Friday, September 8, 2017 9:58:56 AM
Subject: Re: Ldap API Custom Controls


On Sep 7, 2017, at 8:41 PM, CRAIG BENNER <craig.ben...@psu.edu> wrote:

It will take some changes to get a wireshark capture, since Password's can only 
be managed over a secure connection.  Hopefully tomorrow I can get you the 
wireshark capture

Wonder if it would be easier to just enable the API logger containing the BER 
request/response traces?  That’s typically how I debug.  Saves the trouble of 
setting up wireshark.

     <category name="org.apache.directory.api" class="org.apache.log4j.Logger" 
additivity="false">
         <priority value="DEBUG" class="org.apache.log4j.Level"/>
         <appender-ref ref="file"/>
     </category>





























					Reply via email to