directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Radovan Semancik <radovan.seman...@evolveum.com>
Subject Re: Ldap API Custom Controls
Date Mon, 11 Sep 2017 08:58:52 GMT
Hi,

According to my experience with AD this is very hard to diagnose. AD is 
using "unwilling to perform" as a generic error for almost anything. 
Sometimes there is a AD-specific error code in the error message and 
that is really worth checking out. Really. Try that. But apart from this 
there is no way how to diagnose that properly. There seems to be no 
reasonable logging facility on the AD server side. I'm looking for this 
for years and I have found nothing so far (Microsoft support is not able 
help much, I've tried many times). The documentation is not very clear.

The best method so far that I have found is to find a tool that can 
already use this control. Then use packet sniffer and compare the data 
from the tool that works with the data produced by your code. I mean 
real byte-by-byte comparison. The differences will usually point you to 
the things that are wrong.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 09/08/2017 04:11 PM, CRAIG BENNER wrote:
> Thanks Shawn, I was going to ask that.  But I got wireshark working.  Below is the packet
I'm assuming we want to see.  In concept it looks correct, but i'm not sure what the controlValue
is suppose to be on the wire.
>
> Frame 9: 295 bytes on wire (2360 bits), 295 bytes captured (2360 bits) on interface 0
> Ethernet II, Src: PcsCompu_f5:e8:94 (08:00:27:f5:e8:94), Dst: PcsCompu_4b:a3:17 (08:00:27:4b:a3:17)
> Internet Protocol Version 4, Src: 192.168.33.10, Dst: 192.168.33.11
>
> Transmission Control Protocol, Src Port: 44766, Dst Port: 389, Seq: 45, Ack: 46, Len:
229
> Lightweight Directory Access Protocol
>      LDAPMessage modifyRequest(7) "cn=model_ouadmin,ou=PSU-OU-Admin-Accounts,ou=PSU-AD-OU-Administration,ou=PSU-AD-Administration,dc=develop,dc=local"
>          messageID: 7
>          protocolOp: modifyRequest (6)
>              modifyRequest
>                  object: cn=model_ouadmin,ou=PSU-OU-Admin-Accounts,ou=PSU-AD-OU-Administration,ou=PSU-AD-Administration,dc=develop,dc=local
>                  modification: 1 item
>          [Response In: 10]
>          controls: 1 item
>              Control
>                  controlType: 1.2.840.113556.1.4.2239 (ISO assigned OIDs, USA.113556.1.4.2239)
>                  criticality: True
>                  controlValue: 3003020101
>
> Thanks.
> Craig Benner
>
> ----- Original Message -----
> From: "Shawn McKinney" <smckinney@apache.org>
> To: "api" <api@directory.apache.org>
> Sent: Friday, September 8, 2017 9:58:56 AM
> Subject: Re: Ldap API Custom Controls
>
>> On Sep 7, 2017, at 8:41 PM, CRAIG BENNER <craig.benner@psu.edu> wrote:
>>
>> It will take some changes to get a wireshark capture, since Password's can only be
managed over a secure connection.  Hopefully tomorrow I can get you the wireshark capture
> Wonder if it would be easier to just enable the API logger containing the BER request/response
traces?  That’s typically how I debug.  Saves the trouble of setting up wireshark.
>
>      <category name="org.apache.directory.api" class="org.apache.log4j.Logger" additivity="false">
>          <priority value="DEBUG" class="org.apache.log4j.Level"/>
>          <appender-ref ref="file"/>
>      </category>



Mime
View raw message