On 2 Sep 2013, at 04:15 PM, Howard Chu <[email protected]> wrote: > [email protected] wrote: >> Full_Name: Matt Hamilton >> Version: 2.4.36 >> OS: Linux >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (213.133.64.253) >> >> >> I am using the meta backend to query multiple LDAP (AD) backends. This is to >> consolidate several directories in different departments into one. We attempt >> both simple binds with username/password and also anon binds to look up user >> information. > > That doesn't make much sense, since AD disallows anonymous Binds.
Sorry, I wasn't clear. I mean we do both anon and simple binds to OpenLDAP. Hence why the config has credentials in it to use against the backends if not supplied by the client. >> At the moment, trying to do an authenticated simple bind to slapd caused an >> Operational Error to be propagated to the client regardless of the setting of >> 'onerr'. Even when a result is successfully found. This is due to one server >> in >> the backend succeeding and the other returning an operational error due to an >> invalid bind (as would be expected as the credentials supplied from the >> client >> will only work with one of the backends). >> >> Looking at servers/slapd/back-meta/search.c at around line 1903 it appears >> that >> the code is not checking for 'Operational Error' as a specific case above >> and so >> uses the default case (line 1665). Hence sres is set to 'Operational Error' >> too >> at line 1934. > > back-meta/search.c has nothing to do with Binds. Not sure what you're trying > to demonstrate there. I'm not talking about binds there. I'm talking about errors being propagated. -Matt >> >> The server should be changing this to LDAP_SUCCESS somewhere in that logic >> unless META_BACK_ONERR_REPORT. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/
