On ke, 14 joulu 2016, Serhii Honchar wrote:
Hello,
trying to get vSphere authenticate users using FreeIPA.
I've made scheme changes as recommended in howto
http://www.freeipa.org/page/HowTo/vsphere5_integration.
But then faced following issue:
Vsphere using "pagedResultsControl" and sets it's criticality to "True" on
all it's requests to LDAP server:
---
Lightweight Directory Access Protocol
LDAPMessage searchRequest(2) "cn=users,cn=compat,dc=XXX,dc=XXX"
wholeSubtree
messageID: 2
protocolOp: searchRequest (3)
[Response In: 17]
* controls: 1 item *
* Control *
* controlType: 1.2.840.113556.1.4.319 (pagedResultsControl) *
* criticality: True *
* SearchControlValue *
* size: 100 *
* cookie: <MISSING> *
---
When requesting from "cn=accounts" subtree things go ok, and reply also
contain "pagedResultsControl" block:
---
Lightweight Directory Access Protocol
LDAPMessage searchResDone(2) success [1 result]
messageID: 2
protocolOp: searchResDone (5)
searchResDone
resultCode: success (0)
matchedDN:
errorMessage:
[Response To: 15]
[Time: 0.065699000 seconds]
* controls: 1 item*
* Control*
* controlType: 1.2.840.113556.1.4.319 (pagedResultsControl)*
* SearchControlValue*
* size: 0*
* cookie: <MISSING>*
---
and vSphere accepts the results of such queries without any problem, except
the fact that there are no some required attributes in objects in this
subtree.
But on same requests to "cn=compat" subtree (where all required attributes
added) something goest wrong, and replies doesn't contain
"pagedResultsControl" block (the result set itself is identical, absence of
controls block is only difference) :
That's correct because slapi-nis plugin does not support paged results
control for the virtual subtree.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
