Hi,
According to my experience with AD this is very hard to diagnose. AD is
using "unwilling to perform" as a generic error for almost anything.
Sometimes there is a AD-specific error code in the error message and
that is really worth checking out. Really. Try that. But apart from this
there is no way how to diagnose that properly. There seems to be no
reasonable logging facility on the AD server side. I'm looking for this
for years and I have found nothing so far (Microsoft support is not able
help much, I've tried many times). The documentation is not very clear.
The best method so far that I have found is to find a tool that can
already use this control. Then use packet sniffer and compare the data
from the tool that works with the data produced by your code. I mean
real byte-by-byte comparison. The differences will usually point you to
the things that are wrong.
--
Radovan Semancik
Software Architect
evolveum.com
On 09/08/2017 04:11 PM, CRAIG BENNER wrote:
Thanks Shawn, I was going to ask that. But I got wireshark working. Below is
the packet I'm assuming we want to see. In concept it looks correct, but i'm
not sure what the controlValue is suppose to be on the wire.
Frame 9: 295 bytes on wire (2360 bits), 295 bytes captured (2360 bits) on
interface 0
Ethernet II, Src: PcsCompu_f5:e8:94 (08:00:27:f5:e8:94), Dst: PcsCompu_4b:a3:17
(08:00:27:4b:a3:17)
Internet Protocol Version 4, Src: 192.168.33.10, Dst: 192.168.33.11
Transmission Control Protocol, Src Port: 44766, Dst Port: 389, Seq: 45, Ack:
46, Len: 229
Lightweight Directory Access Protocol
LDAPMessage modifyRequest(7)
"cn=model_ouadmin,ou=PSU-OU-Admin-Accounts,ou=PSU-AD-OU-Administration,ou=PSU-AD-Administration,dc=develop,dc=local"
messageID: 7
protocolOp: modifyRequest (6)
modifyRequest
object:
cn=model_ouadmin,ou=PSU-OU-Admin-Accounts,ou=PSU-AD-OU-Administration,ou=PSU-AD-Administration,dc=develop,dc=local
modification: 1 item
[Response In: 10]
controls: 1 item
Control
controlType: 1.2.840.113556.1.4.2239 (ISO assigned OIDs,
USA.113556.1.4.2239)
criticality: True
controlValue: 3003020101
Thanks.
Craig Benner
----- Original Message -----
From: "Shawn McKinney" <smckin...@apache.org>
To: "api" <api@directory.apache.org>
Sent: Friday, September 8, 2017 9:58:56 AM
Subject: Re: Ldap API Custom Controls
On Sep 7, 2017, at 8:41 PM, CRAIG BENNER <craig.ben...@psu.edu> wrote:
It will take some changes to get a wireshark capture, since Password's can only
be managed over a secure connection. Hopefully tomorrow I can get you the
wireshark capture
Wonder if it would be easier to just enable the API logger containing the BER
request/response traces? That’s typically how I debug. Saves the trouble of
setting up wireshark.
<category name="org.apache.directory.api" class="org.apache.log4j.Logger"
additivity="false">
<priority value="DEBUG" class="org.apache.log4j.Level"/>
<appender-ref ref="file"/>
</category>