Jeff Bate Absent Member.
Absent Member.
1170 views

Reading Universal Password on Filtered Replica


I've been trying to setup a filtered replica for our FreeRadius server
to use. I've got a full replica of the root partition which includes
the Security container. I have a filtered replica of my users container
which includes User and ndsLoginProperties with all attributes for both
in the filter. I have checked the box in the filter to allow local
login. I have also checked the box to tell LDAP to provide results from
the local filtered replica. This all works great for normal searches
and binds and I have verified with ndstrace that these requests are
being serviced locally on the box.

The problem comes when I try to read the Universal Password on an object
in the filtered replica. This is done by way of a call to
nmasldap_get_password() which is the same function FreeRadius uses to
get the password. Ndstrace shows this:

15263488 LDAP: [2015/11/17 14:11:56.164] INFO: DoExtended: Extension
Request OID: 2.16.840.1.113719.1.39.42.100.13 (NMAS Get Password
Request)
15263488 RSLV: [2015/11/17 14:11:56.170] DEBUG: Begin->
DCResolveWithConstraint context = 397f0016
15263488 RSLV: [2015/11/17 14:11:56.170] DEBUG: Starting to walk from
initial connection
15263488 RSLV: [2015/11/17 14:11:56.170] DEBUG: Resolving
\TREE\O=tree\OU=people\OU=users\CN=dilbert
15263488 AREQ: [2015/11/17 14:11:56.170] DEBUG: Calling DSARead conn:0
for client .server.utility.tree.TREE.
15263488 AREQ: [2015/11/17 14:11:56.170] DEBUG: DSARead failed, no such
attribute (-603).
15263488 AREQ: [2015/11/17 14:11:56.170] DEBUG: Calling DSAResolveName
conn:52 for client .admin.tree.TREE.
15263488 RSLV: [2015/11/17 14:11:56.170] INFO: Resolving
\TREE\O=tree\OU=people\OU=users\CN=dilbert, flags 00004044.
15263488 RSLV: [2015/11/17 14:11:56.180] INFO: Responding with
referrals.
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: Starting to process 4
received addresses:
15263488 RSLV: [2015/11/17 14:11:56.180] INFO: ->
tcp:xxx.xxx.xx7.154:524 600
15263488 RSLV: [2015/11/17 14:11:56.180] INFO: ->
tcp:xxx.xxx.xx7.156:524 600
15263488 RSLV: [2015/11/17 14:11:56.180] INFO: ->
tcp:xxx.xxx.xx7.153:524 600
15263488 RSLV: [2015/11/17 14:11:56.180] INFO: ->
tcp:xxx.xxx.xx7.155:524 600
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: (1)Trying to connect.
tries = 1
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: TryConnection returning
-779
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: End--->
DCResolveWithConstraint err = -779
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: Connect to
tcp:xxx.xxx.xx8.156:524 succeeded (local server)
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: Begin->
DCResolveWithConstraint context = 397f0004
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: Begin using RN cache
\CN=admin\O=tree\TREE\
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: End using RN cache tag
1, succeeded
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: Starting to walk from
initial connection
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: Resolving v3,
\CN=admin\O=tree\TREE\
15263488 AREQ: [2015/11/17 14:11:56.180] DEBUG: Calling DSAResolveName
conn:4 for client .[Public].
15263488 RSLV: [2015/11/17 14:11:56.180] INFO: Resolving
\CN=admin\O=tree\TREE\, flags 00014004.
15263488 RSLV: [2015/11/17 14:11:56.180] INFO: Respond with local entry
succeeded.
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: ------> tag = 6
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: ------> id = 00008066
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: End--->
DCResolveWithConstraint err = 0
15263488 AREQ: [2015/11/17 14:11:56.180] DEBUG: Calling
DSAReadObjectInfo conn:4 for client .[Public].
15263488 AREQ: [2015/11/17 14:11:56.181] DEBUG: Calling DSARead conn:4
for client .[Public].
15263488 RSLV: [2015/11/17 14:11:56.181] DEBUG: Connect to
tcp:xxx.xxx.xx8.156:524 succeeded (local server)
15263488 RSLV: [2015/11/17 14:11:56.181] DEBUG: Connect to
tcp:xxx.xxx.xx8.156:524 succeeded (local server)
15263488 RSLV: [2015/11/17 14:11:56.181] DEBUG: Connect to
tcp:xxx.xxx.xx8.156:524 succeeded (local server)
15263488 RSLV: [2015/11/17 14:11:56.181] DEBUG: Begin->
DCResolveWithConstraint context = 397f0016
15263488 RSLV: [2015/11/17 14:11:56.181] DEBUG: Begin using RN cache
\TREE\O=tree\OU=people\OU=users\CN=dilbert
15263488 RSLV: [2015/11/17 14:11:56.181] DEBUG: End using RN cache tag
6, succeeded
15263488 RSLV: [2015/11/17 14:11:56.181] DEBUG: Starting to walk from
initial connection
15263488 RSLV: [2015/11/17 14:11:56.181] DEBUG: Resolving
\TREE\O=tree\OU=people\OU=users\CN=dilbert
15263488 AREQ: [2015/11/17 14:11:56.181] DEBUG: Calling DSAResolveName
conn:356 for client .admin.tree.TREE.
15263488 RSLV: [2015/11/17 14:11:56.181] INFO: Resolving
\TREE\O=tree\OU=people\OU=users\CN=dilbert, flags 00004044.
15263488 RSLV: [2015/11/17 14:11:56.181] INFO: Responding with
referrals.
15263488 RSLV: [2015/11/17 14:11:56.182] DEBUG: Starting to process 4
received addresses:
15263488 RSLV: [2015/11/17 14:11:56.182] INFO: ->
tcp:xxx.xxx.xx7.153:524 600
15263488 RSLV: [2015/11/17 14:11:56.182] INFO: ->
tcp:xxx.xxx.xx7.156:524 600
15263488 RSLV: [2015/11/17 14:11:56.182] INFO: ->
tcp:xxx.xxx.xx7.155:524 600
15263488 RSLV: [2015/11/17 14:11:56.182] INFO: ->
tcp:xxx.xxx.xx7.154:524 600
15263488 RSLV: [2015/11/17 14:11:56.182] DEBUG: (1)Trying to connect.
tries = 1
15263488 RSLV: [2015/11/17 14:11:56.182] DEBUG: Connect to
tcp:xxx.xxx.xx7.153:524 succeeded (NOT local server)
15263488 RSLV: [2015/11/17 14:11:56.182] DEBUG: Resolving
\TREE\O=tree\OU=people\OU=users\CN=dilbert
15263488 RSLV: [2015/11/17 14:11:56.183] DEBUG: ------> tag = 6
15263488 RSLV: [2015/11/17 14:11:56.183] DEBUG: ------> id = 000213A6
15263488 RSLV: [2015/11/17 14:11:56.183] DEBUG: End--->
DCResolveWithConstraint err = 0
15263488 RSLV: [2015/11/17 14:11:56.183] DEBUG: Connect to
tcp:xxx.xxx.xx7.153:524 succeeded (NOT local server)
15263488 RSLV: [2015/11/17 14:11:56.186] DEBUG: Begin->
DCResolveWithConstraint context = 397f000d
15263488 RSLV: [2015/11/17 14:11:56.186] DEBUG: Starting to walk from
initial connection
15263488 RSLV: [2015/11/17 14:11:56.186] DEBUG: Resolving v2, non-text
15263488 RSLV: [2015/11/17 14:11:56.187] DEBUG: ------> tag = 6
15263488 RSLV: [2015/11/17 14:11:56.187] DEBUG: ------> id = 0000806D
15263488 RSLV: [2015/11/17 14:11:56.187] DEBUG: End--->
DCResolveWithConstraint err = 0
15263488 AREQ: [2015/11/17 14:11:56.261] DEBUG: Calling DS Ping conn:356
for client .admin.tree.TREE.
15263488 NMAS: [2015/11/17 14:11:56.295] INFO: NMAS Audit with Audit PA
not installed
15263488 NMAS: [2015/11/17 14:11:56.295] INFO: NMAS Audit with XDAS not
installed
15263488 LDAP: [2015/11/17 14:11:56.295] INFO: Sending operation result
0:"":"" to connection 0xfde9f880

I have verified that with a normal R/W replica of the users container,
everything stays local. Interestingly, it appears that the name
resolutions with flags 00004044 are the ones that go off server. Any
ideas how I can make this NMAS call stay local to the server?

Thanks,

Jeff


--
jeffbate
------------------------------------------------------------------------
jeffbate's Profile: https://forums.netiq.com/member.php?userid=1572
View this thread: https://forums.netiq.com/showthread.php?t=54696

Labels (1)
0 Likes
5 Replies
Knowledge Partner
Knowledge Partner

Re: Reading Universal Password on Filtered Replica


To me it seems as you are missing some kind of attribute: " DSARead
failed, no such attribute (-603)."
I wonder what attribute and what class it belongs to.
Have you checked all LDAP Trace boxes except Packet dump?


--
joakim_ganse
------------------------------------------------------------------------
joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
View this thread: https://forums.netiq.com/showthread.php?t=54696

0 Likes
Knowledge Partner
Knowledge Partner

Re: Reading Universal Password on Filtered Replica

On 11/18/2015 04:44 AM, joakim ganse wrote:
>
> To me it seems as you are missing some kind of attribute: " DSARead
> failed, no such attribute (-603)."


I'd pay close attention to nspmPassword, nspmPasswordKey,
nspmDistributionPassword, nspmPreviousDistributionPassword, and other
things like that, assuming they are options to be selected.

> I wonder what attribute and what class it belongs to.
> Have you checked all LDAP Trace boxes except Packet dump?


There is no value in excluding certain options; 'Packet Dump' as an option
on the trace/screen options window has not done anything additional for
years, so just select all checkboxes as it's easier to remember all rather
than all minus one arbitrarily-named checkbox.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: Reading Universal Password on Filtered Replica

> There is no value in excluding certain options; 'Packet Dump' as an option
> on the trace/screen options window has not done anything additional for
> years, so just select all checkboxes as it's easier to remember all rather
> than all minus one arbitrarily-named checkbox.



When was the last time, it ACTUALLY did a packet dump in ldap trace? Not
since the early Netware days I think.

This is a bitmask field anyway, so probably easier to leave it there
than to remove it from the UI.

0 Likes
Jeff Bate Absent Member.
Absent Member.

Re: Reading Universal Password on Filtered Replica


Yes, all LDAP trace options are turned on. I had looked into that
-603's as well. It happens at the same place when I did the same
request against a normal R/W replica. Here's the ABUF for the -603:

3972040448 AREQ: [2015/11/17 14:11:56.9] DEBUG: Calling DSARead conn:0
for client .server.utility.tree.TREE.
3972040448 ABUF: [2015/11/17 14:11:56.10] DEBUG: Request - (78)
0000 02 00 00 00 88 00 00 00 FF FF FF FF 66 80 00 00 ............f...
0010 01 00 00 00 00 00 00 00 02 00 00 00 22 00 00 00 ............"...
0020 6D 00 61 00 73 00 76 00 44 00 65 00 66 00 61 00 m.a.s.v.D.e.f.a.
0030 75 00 6C 00 74 00 52 00 61 00 6E 00 67 00 65 00 u.l.t.R.a.n.g.e.
0040 00 00 00 00 28 00 00 00 6D 00 61 00 73 00 76 00 ....(...m.a.s.v.
0050 41 00 75 00 74 00 68 00 6F 00 72 00 69 00 7A 00 A.u.t.h.o.r.i.z.
0060 65 00 64 00 52 00 61 00 6E 00 67 00 65 00 00 00 e.d.R.a.n.g.e...
0070 00 00 00 00 00 00 00 00 ........

3972040448 ABUF: [2015/11/17 14:11:56.10] DEBUG: Reply - (0)
3972040448 AREQ: [2015/11/17 14:11:56.10] DEBUG: DSARead failed, no such
attribute (-603).


I already tried adding all the masv* attributes to the filter. Didn't
make any difference. Any other ideas?

Thanks,

Jeff


--
jeffbate
------------------------------------------------------------------------
jeffbate's Profile: https://forums.netiq.com/member.php?userid=1572
View this thread: https://forums.netiq.com/showthread.php?t=54696

0 Likes
Knowledge Partner
Knowledge Partner

Re: Reading Universal Password on Filtered Replica


Nope, sorry.

If it was me I would open a Service Request to get it figured out.

Cheers


--
joakim_ganse
------------------------------------------------------------------------
joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
View this thread: https://forums.netiq.com/showthread.php?t=54696

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.