[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Error 18: Solaris 10 Native LDAP-Client

To: openldap-technical@openldap.org
Subject: Re: Error 18: Solaris 10 Native LDAP-Client
From: Benjamin Griese <der.darude@gmail.com>
Date: Thu, 28 Oct 2010 16:04:35 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=3LDhi0jKGizQRs5weojR2/hzg5WvkgyRoyVKdSEUSF0=; b=XAeBmwmTK+I+1KqnGO7DIU+ciiiN+ePdAE4rD3RvsFcHmDRoC9WwaLS54lSV3EcxD+ AQ6VPC2t8D5QJP9qI6KtqvKZuyRWZw8hfxIbQWaYYuzARvkG2A5oZnEk9LGdwNnZmboS GRHZUCaLKLeMmUXhIMUvih6YyUuRDtPp9R4TY=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=Cc+f/BQxc2RFxi2Kx0KHlRkMu027oifgxFEvFnYzttSa2/DhXwbQzDdP4xRY6T76H4 BDpWPn2hoVh2gUFi7ZaIDohSbu+NtguOgehMs4lycP/jMZUBUcrfaJMdQDw3J50Mdlf0 K0qrVGnBm+cy9ToBy+vyNPOchgTTrBf8XXl0s=
In-reply-to: <AANLkTimV5UxnWVDzhy_Rvt21Ffrs7YhwEFQX6h6PmQoW@mail.gmail.com>
References: <AANLkTimwvfDUTgwNyjPzPiYjT3BNg-NmzQ_j2JXs=Cn7@mail.gmail.com> <AANLkTin5tk0S6GUVj+3BvxH2Ow=GX=6kYqV0GxMTS1aA@mail.gmail.com> <877hhap5w7.fsf@magenta.l4b.de> <AANLkTinDx3=ED1CPZH_bPaYezGWoLQEEkMkUfonGVMq6@mail.gmail.com> <8739ryp39j.fsf@magenta.l4b.de> <AANLkTinfFgxi7tSzbxsA6pHERgcHbfuTasfiecUXe+f+@mail.gmail.com> <874ocd2h4h.fsf@magenta.l4b.de> <AANLkTimfyyvMgM4CA3PmLQtbuXbs+agpHJ9vpS8aO6Kw@mail.gmail.com> <87sjzwx209.fsf@magenta.l4b.de> <AANLkTimHGFsz3X1MZxGyHoZ6OG1PBVKZ77hyShw60Rh+@mail.gmail.com> <AANLkTimV5UxnWVDzhy_Rvt21Ffrs7YhwEFQX6h6PmQoW@mail.gmail.com>

While further searching the web I found this nice conclusion of how to
debug a Solaris 10 Native LDAP-Client or more general,
what is neccessary to know if you want to work with solaris native ldap client.

http://wiki.genunix.org/wiki/index.php/Native_LDAP_Product_Support_Document#What_are_the_requirements_for_Directory_server_to_support_Solaris_Native_LDAP_clients.3F
I am a little bit concerned about the VLV support of OpenLDAP, I don't
know how to disable this feature without compiling my own packages and
disable that by configure.


This discussion is about disabling VLV to be able to work with the
solaris native ldap client and AD:
http://old.nabble.com/Solaris-native-ldap-client-to-Windows-Active-Directory:-Netgroups-don't-work-because-of-control-critical-statement-tt23075436.html#a23075436

Can somebody agree to that problem with VLVs and the solaris native ldap client?

Thanks and bye.


On Thu, Oct 28, 2010 at 15:12, Benjamin Griese <der.darude@gmail.com> wrote:
> Correction:
> -w <passwd> or -w - instead of -W
>
> On Thu, Oct 28, 2010 at 15:02, Benjamin Griese <der.darude@gmail.com> wrote:
>> Hello Günther,
>>
>> sorry for my late reply, I hate sun cluster panics after patching
>> those beasts. :(
>>
>> Here is the content of solaris_profile:
>>
>> dn: cn=solaris_profile,ou=profile,dc=example,dc=de
>> objectClass: DUAConfigProfile
>> objectClass: top
>> cn: solaris_profile
>> authenticationMethod: simple
>> bindTimeLimit: 10
>> credentialLevel: proxy
>> defaultSearchBase: dc=example,dc=de
>> defaultSearchScope: sub
>> defaultServerList: exampleldap01 exampleldap02 (syncrepl, configured
>> to mirrormode)
>> followReferrals: FALSE
>> profileTTL: 3600
>> searchTimeLimit: 30
>> serviceSearchDescriptor: sudoers:ou=SUDOers,dc=example,dc=de?sub
>> serviceSearchDescriptor: group:ou=groups,dc=example,dc=de?sub
>> serviceSearchDescriptor: passwd:ou=people,dc=example,dc=de?sub
>>
>>
>> Regarding to the sorting I found this in man ldapsearch:
>>
>> "-F sep
>>
>>         Use sep as the field separator between  attribute  names
>>         and  values.  If  this option has been specified, the -L
>>         option is ignored.
>>
>>
>> -S [-]attribute
>>
>>         Specify an attribute for sorting the entries returned by
>>         the  search.  The  sort  criteria is alphabetical on the
>>         attribute's value or reverse alphabetical with the  form
>>         -attribute.  You  can give multiple -S options to refine
>>         the sorting, For example:
>>
>>         -S sn -S givenname
>>
>>         By default, the entries  are  not  sorted.  Use  the  -x
>>         option to perform server-side sorting."
>>
>> If I use -x for server side sorting, I get the complete list of
>> uid-Objects, but not sorted in any obvious way:
>> # ldapsearch -v -x -b dc=example,dc=de -h exampleldap01 -D
>> cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)'
>>
>> ldapsearch: started Thu Oct 28 12:16:49 2010
>> ldap_init( exampleldap01, 389 )
>> filter pattern: (uid=*)
>> returning: ALL
>> filter is: (uid=*)
>> version: 1
>>
>> If I use this string I get the complete list of uid-objects sorted by uidNumber
>> # ldapsearch -v -S uidnumber -b dc=example,dc=de -h exampleldap01 -D
>> cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)'
>>
>> ldapsearch: started Thu Oct 28 12:37:11 2010
>> ldap_init( exampleldap01, 389 )
>> filter pattern: (uid=*)
>> returning: ALL
>> filter is: (uid=*)
>> version: 1
>>
>> If I try to search with -x and -S uidnumber I get the same message
>> that appears in the OpenLDAP logfile:
>> # ldapsearch -v -x -S uidNumber -b dc=example,dc=de -h exampleldap01
>> -D cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)'
>>
>> ldapsearch: started Thu Oct 28 12:25:50 2010
>> ldap_init( exampleldap01, 389 )
>> filter pattern: (uid=*)
>> returning: ALL
>> filter is: (uid=*)
>> ldap_search: Inappropriate matching
>> ldap_search: additional info: serverSort control: No ordering rule
>> ldap_parse_sort_control: Requested LDAP control not found
>>
>> Finally I still have no clue how to prevent the client from doing
>> these kinds of searches.
>> And I couldn't find any templates regarding the ldapclient on my test machine.
>>
>> Any other clues or ideas?
>>
>> Bye, Benjamin.
>>
>> On Sat, Oct 23, 2010 at 19:17, Dieter Kluenter <dieter@dkluenter.de> wrote:
>>> Benjamin Griese <der.darude@gmail.com> writes:
>>>
>>>> Hey thanks for quick reply,
>>>>
>>>> I put the config of the ldapclient on the ML some days ago,
>>>> but I can't figure out how I may have set such a rule on client side.
>>>> Probably it is something hardcoded.
>>>>
>>>> ldapclient config:
>>>> NS_LDAP_FILE_VERSION= 2.0
>>>> NS_LDAP_BINDDN= cn=proxyuser,ou=system,ou=people,dc=example,dc=de
>>>> NS_LDAP_BINDPASSWD= secret
>>>> NS_LDAP_SERVERS= ldap01
>>>> NS_LDAP_SEARCH_BASEDN= dc=example,dc=de
>>>> NS_LDAP_AUTH= simple
>>>> NS_LDAP_SEARCH_REF= FALSE
>>>> NS_LDAP_SEARCH_SCOPE= sub
>>>> NS_LDAP_SEARCH_TIME= 30
>>>> NS_LDAP_CACHETTL= 60
>>>> NS_LDAP_PROFILE= solaris_profile
>>>> NS_LDAP_CREDENTIAL_LEVEL= proxy
>>>> NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=people,dc=example,dc=de?sub
>>>> NS_LDAP_SERVICE_SEARCH_DESC= group: ou=groups,dc=example,dc=de?sub
>>>> NS_LDAP_SERVICE_SEARCH_DESC= sudoers: ou=SUDOers,dc=example,dc=de?sub
>>>>
>>>> That's all I setup, its like defaultest of the defaultest I guess :)
>>>>
>>>> And thanks for describing EQUALITY.
>>>
>>> I must admit I am not that familiar with old netscape tools, but the
>>> openldap log ist quite clear, there is a request for a Server Side
>>> Sorting extended operation, which in fact is quite unusual. You really
>>> should check Solaris 10 setup for appropriate templates, i.e. what is
>>> the content of solaris_profile? By the way, AFAIR the flag for sss is
>>> -F so you may check any templates, Redhat provides these in
>>> /usr/share/dirsrv, Solaris might be different.
>>>
>>> -Dieter
>>>
>>> --
>>> Dieter Klünter | Systemberatung
>>> sip: 7770535@sipgate.de
>>> http://www.dpunkt.de/buecher/2104.html
>>> GPG Key ID:8EF7B6C6
>>>
>>
>>
>>
>> --
>> To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To
>> be is to do -- Sartre | Do be do be do -- Sinatra
>>
>
>
>
> --
> To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To
> be is to do -- Sartre | Do be do be do -- Sinatra
>



-- 
To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To
be is to do -- Sartre | Do be do be do -- Sinatra

Follow-Ups:
- Re: Error 18: Solaris 10 Native LDAP-Client
  - From: "James Bagley Jr" <james.bagley@state.or.us>

References:
- Error 18: Solaris 10 Native LDAP-Client
  - From: Benjamin Griese <der.darude@gmail.com>
- Re: Error 18: Solaris 10 Native LDAP-Client
  - From: Benjamin Griese <der.darude@gmail.com>
- Re: Error 18: Solaris 10 Native LDAP-Client
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: Error 18: Solaris 10 Native LDAP-Client
  - From: Benjamin Griese <der.darude@gmail.com>

Prev by Date: Re: Problem updating cn=config directory
Next by Date: Re: Problem updating cn=config directory
Index(es):
- Chronological
- Thread