On 03/06/2015 09:01 AM, Herwono W Wijaya wrote:
this result from
#strings /usr/lib/openldap/slapd | grep "1.3.6.1.4"
Sorry, I should have been much more explicit about what you need to do:
1) Are you a VMWare customer with a paid support contract? If so, then
contact VMWare support - ask them which LDAP controls vCenter knows
about and which ones it can expect in an LDAP response.
2) Look for LDAP Control OIDs in the _vCenter_ code, not the openldap
code. I can't help you here - I don't have vCenter, and I have no idea
what the code/binary layout looks like on disk. For example, here is a
list of well known LDAP Control OIDs:
https://www.ldap.com/ldap-oid-reference - scroll down to OIDs for Controls
On 3/6/15 10:40 PM, Rich Megginson wrote:
On 03/06/2015 07:54 AM, Herwono W Wijaya wrote:
FreeIPA logs:
[06/Mar/2015:21:51:15 +0700] conn=30 op=0 BIND
dn="uid=admin,cn=users,cn=compat,dc=server,dc=local" method=128
version=3
[06/Mar/2015:21:51:15 +0700] conn=30 op=0 RESULT err=0 tag=97
nentries=0 etime=0
dn="uid=admin,cn=users,cn=accounts,dc=server,dc=local"
[06/Mar/2015:21:51:15 +0700] conn=30 op=1 SRCH
base="cn=users,cn=compat,dc=server,dc=local" scope=2
filter="(objectClass=inetOrgPerson)" attrs="uid description
givenName sn mail useraccountcontrol pwdaccountlockedtime entryuuid"
[06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101
nentries=2 etime=0 notes=P
[06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND
[06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1
vCenter SSO error:
Error: Idm client exception: Control not found
There's no error log debug level which will give us all of the
controls received by the server or all of the controls sent back by
the server. The TRACE level will give us some information.
But the problem appears to be that vCenter is expecting some
control. There is no way we can tell what control that might be by
analyzing the LDAP protocol, even with wireshark. If the vCenter
documentation does not suffice, and VMWare support is not
forthcoming, then we might be able to reverse engineer the code. For
example, search the code, if scripts, or use something like the
"strings" command on binaries, to look for well known OID prefixes.
For example, from dirsrv:
# strings /usr/lib64/lib/dirsrv/libslapd.so.0.0.0|grep "1.3.6.1.4"
1.3.6.1.4.1.1466.115.121.1.34
1.3.6.1.4.1.1466.115.121.1.12
1.3.6.1.4.1.1466.115.121.1.15
1.3.6.1.4.1.42.2.27.8.5.1
1.3.6.1.4.1.42.2.27.9.5.2
...
If we can narrow down the list of possible control OIDs that vCenter
knows about, we can perhaps figure out if 389 supports them.
On 3/6/15 8:45 PM, Herwono W Wijaya wrote:
sorry my mistake, okay I'll check slapd log files and try to figure
out what happened
On 3/6/15 8:43 PM, Martin Kosek wrote:
This is the directory on FreeIPA server that the vCenter is
authenticating useres against.
On 03/06/2015 02:40 PM, Herwono W Wijaya wrote:
there is no directory "/var/log/dirsrv/" in 5.5u2b version
On 3/6/15 8:34 PM, Gianluca Cecchi wrote:
On Fri, Mar 6, 2015 at 2:12 PM, Martin Kosek <mko...@redhat.com
<mailto:mko...@redhat.com>> wrote:
Ah, I am not sure what control do they mean.
But in general, when, it is always interesting to check the
LDAP access
logs to see the last failed request and then try the same
search with
ldapsearch and fix things.
Martin
see my previous e-mail:
/var/log/dirsrv/slapd-REALM-NAME/
contains log and you will see which kind of queries vSphere is
doing.
Gianluca
--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware
vExpert 2014, 2015
<https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr>*
--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert
2014, 2015
<https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr>*
--
Regards, Herwono W Wijaya https://linuxcoding.org | *VMware vExpert
2014, 2015
<https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr>*
--
Regards,
Herwono W Wijaya
https://linuxcoding.org | *VMware vExpert 2014, 2015
<https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr>*
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
