I've been trying to setup a filtered replica for our FreeRadius server
to use. I've got a full replica of the root partition which includes
the Security container. I have a filtered replica of my users container
which includes User and ndsLoginProperties with all attributes for both
in the filter. I have checked the box in the filter to allow local
login. I have also checked the box to tell LDAP to provide results from
the local filtered replica. This all works great for normal searches
and binds and I have verified with ndstrace that these requests are
being serviced locally on the box.

The problem comes when I try to read the Universal Password on an object
in the filtered replica. This is done by way of a call to
nmasldap_get_password() which is the same function FreeRadius uses to
get the password. Ndstrace shows this:

15263488 LDAP: [2015/11/17 14:11:56.164] INFO: DoExtended: Extension
Request OID: 2.16.840.1.113719.1.39.42.100.13 (NMAS Get Password
Request)
15263488 RSLV: [2015/11/17 14:11:56.170] DEBUG: Begin->
DCResolveWithConstraint context = 397f0016
15263488 RSLV: [2015/11/17 14:11:56.170] DEBUG: Starting to walk from
initial connection
15263488 RSLV: [2015/11/17 14:11:56.170] DEBUG: Resolving
\TREE\O=tree\OU=people\OU=users\CN=dilbert
15263488 AREQ: [2015/11/17 14:11:56.170] DEBUG: Calling DSARead conn:0
for client .server.utility.tree.TREE.
15263488 AREQ: [2015/11/17 14:11:56.170] DEBUG: DSARead failed, no such
attribute (-603).
15263488 AREQ: [2015/11/17 14:11:56.170] DEBUG: Calling DSAResolveName
conn:52 for client .admin.tree.TREE.
15263488 RSLV: [2015/11/17 14:11:56.170] INFO: Resolving
\TREE\O=tree\OU=people\OU=users\CN=dilbert, flags 00004044.
15263488 RSLV: [2015/11/17 14:11:56.180] INFO: Responding with
referrals.
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: Starting to process 4
received addresses:
15263488 RSLV: [2015/11/17 14:11:56.180] INFO: ->
tcp:xxx.xxx.xx7.154:524 600
15263488 RSLV: [2015/11/17 14:11:56.180] INFO: ->
tcp:xxx.xxx.xx7.156:524 600
15263488 RSLV: [2015/11/17 14:11:56.180] INFO: ->
tcp:xxx.xxx.xx7.153:524 600
15263488 RSLV: [2015/11/17 14:11:56.180] INFO: ->
tcp:xxx.xxx.xx7.155:524 600
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: (1)Trying to connect.
tries = 1
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: TryConnection returning
-779
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: End--->
DCResolveWithConstraint err = -779
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: Connect to
tcp:xxx.xxx.xx8.156:524 succeeded (local server)
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: Begin->
DCResolveWithConstraint context = 397f0004
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: Begin using RN cache
\CN=admin\O=tree\TREE\
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: End using RN cache tag
1, succeeded
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: Starting to walk from
initial connection
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: Resolving v3,
\CN=admin\O=tree\TREE\
15263488 AREQ: [2015/11/17 14:11:56.180] DEBUG: Calling DSAResolveName
conn:4 for client .[Public].
15263488 RSLV: [2015/11/17 14:11:56.180] INFO: Resolving
\CN=admin\O=tree\TREE\, flags 00014004.
15263488 RSLV: [2015/11/17 14:11:56.180] INFO: Respond with local entry
succeeded.
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: ------> tag = 6
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: ------> id = 00008066
15263488 RSLV: [2015/11/17 14:11:56.180] DEBUG: End--->
DCResolveWithConstraint err = 0
15263488 AREQ: [2015/11/17 14:11:56.180] DEBUG: Calling
DSAReadObjectInfo conn:4 for client .[Public].
15263488 AREQ: [2015/11/17 14:11:56.181] DEBUG: Calling DSARead conn:4
for client .[Public].
15263488 RSLV: [2015/11/17 14:11:56.181] DEBUG: Connect to
tcp:xxx.xxx.xx8.156:524 succeeded (local server)
15263488 RSLV: [2015/11/17 14:11:56.181] DEBUG: Connect to
tcp:xxx.xxx.xx8.156:524 succeeded (local server)
15263488 RSLV: [2015/11/17 14:11:56.181] DEBUG: Connect to
tcp:xxx.xxx.xx8.156:524 succeeded (local server)
15263488 RSLV: [2015/11/17 14:11:56.181] DEBUG: Begin->
DCResolveWithConstraint context = 397f0016
15263488 RSLV: [2015/11/17 14:11:56.181] DEBUG: Begin using RN cache
\TREE\O=tree\OU=people\OU=users\CN=dilbert
15263488 RSLV: [2015/11/17 14:11:56.181] DEBUG: End using RN cache tag
6, succeeded
15263488 RSLV: [2015/11/17 14:11:56.181] DEBUG: Starting to walk from
initial connection
15263488 RSLV: [2015/11/17 14:11:56.181] DEBUG: Resolving
\TREE\O=tree\OU=people\OU=users\CN=dilbert
15263488 AREQ: [2015/11/17 14:11:56.181] DEBUG: Calling DSAResolveName
conn:356 for client .admin.tree.TREE.
15263488 RSLV: [2015/11/17 14:11:56.181] INFO: Resolving
\TREE\O=tree\OU=people\OU=users\CN=dilbert, flags 00004044.
15263488 RSLV: [2015/11/17 14:11:56.181] INFO: Responding with
referrals.
15263488 RSLV: [2015/11/17 14:11:56.182] DEBUG: Starting to process 4
received addresses:
15263488 RSLV: [2015/11/17 14:11:56.182] INFO: ->
tcp:xxx.xxx.xx7.153:524 600
15263488 RSLV: [2015/11/17 14:11:56.182] INFO: ->
tcp:xxx.xxx.xx7.156:524 600
15263488 RSLV: [2015/11/17 14:11:56.182] INFO: ->
tcp:xxx.xxx.xx7.155:524 600
15263488 RSLV: [2015/11/17 14:11:56.182] INFO: ->
tcp:xxx.xxx.xx7.154:524 600
15263488 RSLV: [2015/11/17 14:11:56.182] DEBUG: (1)Trying to connect.
tries = 1
15263488 RSLV: [2015/11/17 14:11:56.182] DEBUG: Connect to
tcp:xxx.xxx.xx7.153:524 succeeded (NOT local server)
15263488 RSLV: [2015/11/17 14:11:56.182] DEBUG: Resolving
\TREE\O=tree\OU=people\OU=users\CN=dilbert
15263488 RSLV: [2015/11/17 14:11:56.183] DEBUG: ------> tag = 6
15263488 RSLV: [2015/11/17 14:11:56.183] DEBUG: ------> id = 000213A6
15263488 RSLV: [2015/11/17 14:11:56.183] DEBUG: End--->
DCResolveWithConstraint err = 0
15263488 RSLV: [2015/11/17 14:11:56.183] DEBUG: Connect to
tcp:xxx.xxx.xx7.153:524 succeeded (NOT local server)
15263488 RSLV: [2015/11/17 14:11:56.186] DEBUG: Begin->
DCResolveWithConstraint context = 397f000d
15263488 RSLV: [2015/11/17 14:11:56.186] DEBUG: Starting to walk from
initial connection
15263488 RSLV: [2015/11/17 14:11:56.186] DEBUG: Resolving v2, non-text
15263488 RSLV: [2015/11/17 14:11:56.187] DEBUG: ------> tag = 6
15263488 RSLV: [2015/11/17 14:11:56.187] DEBUG: ------> id = 0000806D
15263488 RSLV: [2015/11/17 14:11:56.187] DEBUG: End--->
DCResolveWithConstraint err = 0
15263488 AREQ: [2015/11/17 14:11:56.261] DEBUG: Calling DS Ping conn:356
for client .admin.tree.TREE.
15263488 NMAS: [2015/11/17 14:11:56.295] INFO: NMAS Audit with Audit PA
not installed
15263488 NMAS: [2015/11/17 14:11:56.295] INFO: NMAS Audit with XDAS not
installed
15263488 LDAP: [2015/11/17 14:11:56.295] INFO: Sending operation result
0:"":"" to connection 0xfde9f880

I have verified that with a normal R/W replica of the users container,
everything stays local. Interestingly, it appears that the name
resolutions with flags 00004044 are the ones that go off server. Any
ideas how I can make this NMAS call stay local to the server?

Thanks,

Jeff


--
jeffbate
------------------------------------------------------------------------
jeffbate's Profile: https://forums.netiq.com/member.php?userid=1572
View this thread: https://forums.netiq.com/showthread.php?t=54696