Alexander, as per RFC2696 in such case: --- If the server does not support this control, the server MUST return an error of unsupportedCriticalExtension if the client requested it as critical,
--- So in case slapi-nis plugin doesn't support "paged results control", it is quite incorrect to absolutely ignore control regardless of their "criticality". To comply with RFC2696 slapi-nis plugin shall reply with "unsupportedCriticalExtension" error in such cases. Am i right? ср, 14 груд. 2016 о 18:24 Alexander Bokovoy <[email protected]> пише: > On ke, 14 joulu 2016, Serhii Honchar wrote: > >Hello, > > > >trying to get vSphere authenticate users using FreeIPA. > >I've made scheme changes as recommended in howto > >http://www.freeipa.org/page/HowTo/vsphere5_integration. > >But then faced following issue: > >Vsphere using "pagedResultsControl" and sets it's criticality to "True" on > >all it's requests to LDAP server: > >--- > >Lightweight Directory Access Protocol > > LDAPMessage searchRequest(2) "cn=users,cn=compat,dc=XXX,dc=XXX" > >wholeSubtree > > messageID: 2 > > protocolOp: searchRequest (3) > > [Response In: 17] > > * controls: 1 item * > >* Control * > >* controlType: 1.2.840.113556.1.4.319 > (pagedResultsControl) * > >* criticality: True * > >* SearchControlValue * > >* size: 100 * > >* cookie: <MISSING> * > >--- > > > >When requesting from "cn=accounts" subtree things go ok, and reply also > >contain "pagedResultsControl" block: > >--- > >Lightweight Directory Access Protocol > > LDAPMessage searchResDone(2) success [1 result] > > messageID: 2 > > protocolOp: searchResDone (5) > > searchResDone > > resultCode: success (0) > > matchedDN: > > errorMessage: > > [Response To: 15] > > [Time: 0.065699000 seconds] > > * controls: 1 item* > >* Control* > >* controlType: 1.2.840.113556.1.4.319 > (pagedResultsControl)* > >* SearchControlValue* > >* size: 0* > >* cookie: <MISSING>* > >--- > >and vSphere accepts the results of such queries without any problem, > except > >the fact that there are no some required attributes in objects in this > >subtree. > > > >But on same requests to "cn=compat" subtree (where all required attributes > >added) something goest wrong, and replies doesn't contain > >"pagedResultsControl" block (the result set itself is identical, absence > of > >controls block is only difference) : > That's correct because slapi-nis plugin does not support paged results > control for the virtual subtree. > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
