[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4027) Requesting critical manageDSAit control with back-meta results in err=32

To: openldap-its@OpenLDAP.org
Subject: (ITS#4027) Requesting critical manageDSAit control with back-meta results in err=32
From: pfnguyen@hanhuy.com
Date: Tue, 13 Sep 2005 20:30:16 GMT

Full_Name: Perry Nguyen
Version: 2.3.7
OS: Linux FC3
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (66.245.252.239)


NB: I personally don't care about the manageDSAit control, but it seems JNDI
requests this control by default, and it causes our code that uses JNDI to
fail.

I have no idea what the backend server would be.  My guess would be some version
of IBM/Tivoli Directory Server.

Relevant configuration that demonstrates this problem:

### Proxy bluepages so we can use its authentication
### Glue US and CSDL and our local accounts together
database        meta
nretries        forever
readonly        on
suffix          "ou=tsso,ou=ecmbi,o=ibm"
uri             "ldap://bluepages.ibm.com/c=us,ou=tsso,ou=ecmbi,o=ibm";
suffixmassage   "c=us,ou=tsso,ou=ecmbi,o=ibm" "c=us,ou=bluepages,o=ibm.com"
#uri             "ldap:///ou=tsso,ou=ecmbi,o=ibm";
#suffixmassage   "ou=tsso,ou=ecmbi,o=ibm" "ou=Build Accounts,ou=ecmbi,o=ibm"

database        meta
readonly        on
nretries        forever
suffix          "ou=sso,ou=ecmbi,o=ibm"
uri             "ldaps://bluepages.ibm.com/c=us,ou=sso,ou=ecmbi,o=ibm"
suffixmassage   "c=us,ou=sso,ou=ecmbi,o=ibm" "c=us,ou=bluepages,o=ibm.com"
uri             "ldaps://bluepages.ibm.com/c=cn,ou=sso,ou=ecmbi,o=ibm"
suffixmassage   "c=cn,ou=sso,ou=ecmbi,o=ibm" "c=cn,ou=bluepages,o=ibm.com"
uri             "ldap:///ou=sso,ou=ecmbi,o=ibm";
suffixmassage   "ou=sso,ou=ecmbi,o=ibm" "ou=SSO Stub,ou=ecmbi,o=ibm"

#uri             "ldap:///ou=sso,ou=ecmbi,o=ibm";
#suffixmassage   "ou=sso,ou=ecmbi,o=ibm" "ou=Build Accounts,ou=ecmbi,o=ibm"
subordinate

###
### Proof that the back-meta in question works (without the "frills")
###
[pfnguyen@wassup ~]$ ldapsearch -x -b ou=tsso,ou=ecmbi,o=ibm -H ldap:///
uid=828197897 1.1
# extended LDIF
#
# LDAPv3
# base <ou=tsso,ou=ecmbi,o=ibm> with scope sub
# filter: uid=828197897
# requesting: 1.1
#

# 828197897, us, tsso, ecmbi, ibm
dn: uid=828197897,c=us,ou=tsso,ou=ecmbi,o=ibm

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

###
### This is where the failure occurs, no such object requesting critical
manageDSAit
###
[pfnguyen@wassup ~]$ ldapsearch -x -MM -b ou=tsso,ou=ecmbi,o=ibm -H ldap:///
uid=828197897 1.1
# extended LDIF
#
# LDAPv3
# base <ou=tsso,ou=ecmbi,o=ibm> with scope sub
# filter: uid=828197897
# requesting: 1.1
# with manageDSAit critical control
#

# search result
search: 2
result: 32 No such object
matchedDN: ou=ecmbi,o=ibm

# numResponses: 1

###
### Even a non-critical request fails
###
[pfnguyen@wassup ~]$ ldapsearch -x -M -b ou=tsso,ou=ecmbi,o=ibm -H ldap:///
uid=828197897 1.1
# extended LDIF
#
# LDAPv3
# base <ou=tsso,ou=ecmbi,o=ibm> with scope sub
# filter: uid=828197897
# requesting: 1.1
# with manageDSAit control
#

# search result
search: 2
result: 32 No such object
matchedDN: ou=ecmbi,o=ibm


###
### This shows that the backend works fine with manageDSAit
###
[pfnguyen@wassup ~]$ ldapsearch -x -MM -b ou=bluepages,o=ibm.com -H
ldap://bluepages.ibm.com/ uid=828197897 1.1
# extended LDIF
#
# LDAPv3
# base <ou=bluepages,o=ibm.com> with scope sub
# filter: uid=828197897
# requesting: 1.1
# with manageDSAit critical control
#

# 828197897, us, bluepages, ibm.com
dn: uid=828197897,c=us,ou=bluepages,o=ibm.com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

###
### This shows that the backend to back-meta works fine without manageDSAit
###
[pfnguyen@wassup ~]$ ldapsearch -x -b ou=bluepages,o=ibm.com -H
ldap://bluepages.ibm.com/ uid=828197897 1.1
# extended LDIF
#
# LDAPv3
# base <ou=bluepages,o=ibm.com> with scope sub
# filter: uid=828197897
# requesting: 1.1
#

# 828197897, us, bluepages, ibm.com
dn: uid=828197897,c=us,ou=bluepages,o=ibm.com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

###
### This instance demonstrates that it works fine with the subordinate
back-meta
###
[pfnguyen@wassup ~]$ ldapsearch -x -MM -H ldap:/// uid=828197897 1.1
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: uid=828197897
# requesting: 1.1
# with manageDSAit critical control
#

# 828197897, us, sso, ecmbi, ibm
dn: uid=828197897,c=us,ou=sso,ou=ecmbi,o=ibm

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Prev by Date: Re: getent group with ldap backend crashes
Next by Date: Re: (ITS#4006) 2.3.7 cannot build without-threads
Index(es):
- Chronological
- Thread