[Issue 10383] New: slapd-meta ignores olcDbIDAssertBind if olcDbURI defined after it

[openldap-its]

https://bugs.openldap.org/show_bug.cgi?id=10383

          Issue ID: 10383
           Summary: slapd-meta ignores olcDbIDAssertBind if olcDbURI
                    defined after it
           Product: OpenLDAP
           Version: 2.6.9
          Hardware: x86_64
                OS: Linux
            Status: UNCONFIRMED
          Keywords: needs_review
          Severity: normal
          Priority: ---
         Component: slapd
          Assignee: b...@openldap.org
          Reporter: david.frick...@protonmail.com
  Target Milestone: ---

Hi,

We are using slapd-meta to connect an OpenLDAP server to another external LDAP
server and it works well on first configuration.

However, if we want to update any info, e.g. the external LDAP URI, we must
replace the olcDbURI attribute. This means that the ordering of the attributes
change and this attribute is now defined after olcDbIDAssertBind.

Didn't think this would be important, but after this change the "meta"
connection stops working and upon enabling debugging i can see that the
external LDAP server is responding with:

"ldap_bind: Inappropriate authentication (48)
        additional info: Anonymous Simple Bind Disabled"

This seems to imply that the olcDbIDAssertBind attribute is being ignored,
likely due to being defined before olcDbURI (my assumption).

Is this intended? If so, what can we do to mitigate this problem? 
Do we need to perform a replace on all attributes of the object to ensure
correct ordering, or is there any way to perform an in-place attribute
modification without making it shift its position in the object?

Example:

First configuration (OK):

# {0}uri, {2}meta, config
dn: olcMetaSub={0}uri,olcDatabase={2}meta,cn=config
objectClass: olcMetaTargetConfig
olcMetaSub: {0}uri
--> olcDbURI: ldap://REDACTED/ou=users,REDACTED  
olcDbIDAssertBind: bindmethod=simple starttls=yes tls_reqcert=demand
binddn="REDACTED" credentials="REDACTED"
olcDbRewrite: {0}suffixmassage REDACTED REDACTED
olcDbKeepalive: 0:0:0
olcDbBindTimeout: 100000
olcDbCancel: abandon

After URI update (NOK):

# {0}uri, {2}meta, config
dn: olcMetaSub={0}uri,olcDatabase={2}meta,cn=config
objectClass: olcMetaTargetConfig
olcMetaSub: {0}uri
olcDbIDAssertBind: bindmethod=simple starttls=yes tls_reqcert=demand
binddn="REDACTED" credentials="REDACTED"
olcDbRewrite: {0}suffixmassage REDACTED REDACTED
olcDbKeepalive: 0:0:0
olcDbBindTimeout: 100000
olcDbCancel: abandon
--> olcDbURI: ldap://REDACTED/ou=users,REDACTED  

The olcDbURI attribute is shifted to the bottom after a modify operation, and
seems to cause these issues.

Best Regards,
David

-- 
You are receiving this mail because:
You are on the CC list for the issue.