Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

Fri, 06 Mar 2015 09:29:49 -0800 

On 03/06/2015 09:39 AM, Herwono W Wijaya wrote:

vCenter SSO works well with Univention LDAP.



Then set up a wireshark session to capture traffic between vCenter SSO 
and Univention LDAP, then do the same with vCenter SSO and IPA. Then we 
can compare the TCP traffic dumps.





Here I want to make sure if FreeIPA can work with vCenter SSO, because 
I read it on this page: 
http://www.freeipa.org/page/HowTo/vsphere5_integration


And thanks for the help and answer any questions from me.
Have a nice day.

On 3/6/15 11:23 PM, Rich Megginson wrote:

On 03/06/2015 09:13 AM, Gianluca Cecchi wrote:

On Fri, Mar 6, 2015 at 4:40 PM, Rich Megginson <rmegg...@redhat.com 
<mailto:rmegg...@redhat.com>> wrote:





    [06/Mar/2015:21:51:15 +0700] conn=30 op=1 RESULT err=0 tag=101
    nentries=2 etime=0 notes=P
    [06/Mar/2015:21:51:15 +0700] conn=30 op=2 UNBIND
    [06/Mar/2015:21:51:15 +0700] conn=30 op=2 fd=99 closed - U1

    vCenter SSO error:
    Error: Idm client exception: Control not found


    There's no error log debug level which will give us all of the
    controls received by the server or all of the controls sent back
    by the server.  The TRACE level will give us some information.




Could it be that the "Control not found" somehow related with "page 
results control" as described in

https://bugzilla.redhat.com/show_bug.cgi?id=558099


Could be.



Is the "notes=P" in ipa logs a setting managed by the server or by 
the type of the query done by the client?



Yes.  It means the client is requesting a Simple Paged Search by 
using that control.



In my past IPA 3.3.3 logs I didn't find it at the end of the log 
line with nentries...



It has everything to do with the client.  The server has supported 
Simple Paged Search for a long time.  Perhaps some newer version of 
the client is requesting paged results?




Just an attempt...




One more thing - does vCenter work with another LDAP server, like 
openldap or active directory?  If so, try capturing a wireshark trace 
of a successful search operation, then capture a wireshark trace of a 
session using ipa, and we can compare them to see which controls the 
working server is sending back that ipa is not.





--
Regards,
Herwono W Wijaya

https://linuxcoding.org | *VMware vExpert 2014, 2015 
<https://communities.vmware.com/vexpert.jspa?src=vmw_so_vex_hwija_769&username=herwonowr>* 




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




























					Reply via email to