Hello, trying to get vSphere authenticate users using FreeIPA. I've made scheme changes as recommended in howto http://www.freeipa.org/page/HowTo/vsphere5_integration. But then faced following issue: Vsphere using "pagedResultsControl" and sets it's criticality to "True" on all it's requests to LDAP server: --- Lightweight Directory Access Protocol LDAPMessage searchRequest(2) "cn=users,cn=compat,dc=XXX,dc=XXX" wholeSubtree messageID: 2 protocolOp: searchRequest (3) [Response In: 17] * controls: 1 item * * Control * * controlType: 1.2.840.113518.104.22.1689 (pagedResultsControl) * * criticality: True * * SearchControlValue * * size: 100 * * cookie: <MISSING> * ---
When requesting from "cn=accounts" subtree things go ok, and reply also contain "pagedResultsControl" block: --- Lightweight Directory Access Protocol LDAPMessage searchResDone(2) success [1 result] messageID: 2 protocolOp: searchResDone (5) searchResDone resultCode: success (0) matchedDN: errorMessage: [Response To: 15] [Time: 0.065699000 seconds] * controls: 1 item* * Control* * controlType: 1.2.840.113522.214.171.1249 (pagedResultsControl)* * SearchControlValue* * size: 0* * cookie: <MISSING>* --- and vSphere accepts the results of such queries without any problem, except the fact that there are no some required attributes in objects in this subtree. But on same requests to "cn=compat" subtree (where all required attributes added) something goest wrong, and replies doesn't contain "pagedResultsControl" block (the result set itself is identical, absence of controls block is only difference) : --- Lightweight Directory Access Protocol LDAPMessage searchResDone(2) success [1 result] messageID: 2 protocolOp: searchResDone (5) [Response To: 15] [Time: 0.001349000 seconds] --- Thus vSphere doesn't accept the results of queries to "cn=compat" subtree regardless of their results. Such behavior also seems to be violating RFC2696 which stands: --- If the server does not support this control, the server MUST return an error of unsupportedCriticalExtension if the client requested it as critical, otherwise the server SHOULD ignore the control. The remainder of this section assumes the server does not ignore the client's pagedResultsControl. Each time the server returns a set of results to the client when processing a search request containing the pagedResultsControl, the server includes the pagedResultsControl control in the searchResultDone message. --- Please help me to find the answers for following questions: 1) why the replies for the requests to "cn=compat" subtree don't contain controls block? 2) is it possible to configure ns-slapd/slapi-nis to force replies for queries to "cn=compat" subtree either to return a unsupportedCriticalExtension or to contain a valid control block in case when the request contains controls with "criticality" set to "True"?
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project