[email protected] wrote: > Full_Name: Quanah Gibson-Mount > Version: 2.4.44 > OS: Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (47.208.148.26) > > > When slapo-pcache is set up to use the user credentials for binding, the first > bind will succeed accordingly, but subsequent binds will fall back to > anonymous, > as slapd logs that the credentials are not found: > > 58645256 conn=1024 op=1 ldap_back_dobind_int: DN="cn=james a jones 1,ou=alumni > association,ou=people,dc=example,dc=com" without creds, binding > anonymouslyldap_sasl_bind > > > This is trivial to reproduce by making a slight modification to > test020-proxycache: > > index f4e5cb7..105b911 100755 > --- a/tests/scripts/test020-proxycache > +++ b/tests/scripts/test020-proxycache > @@ -645,6 +645,22 @@ if test $RC != 4 ; then > test $KILLSERVERS != no && kill -HUP $KILLPIDS && wait > exit 1 > fi > + > +CNT=`expr $CNT + 1` > +FILTER="(sn=Jon)" > +ATTRS="cn mail telephonenumber" > +echo "Query $CNT: (Result should not be cached)" > +echo "# Query $CNT: (Result should not be cached)" >> $SEARCHOUT > +$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT2 \ > + -D "$USERDN" -w "$UPASSWD" "$FILTER" $ATTRS >> $SEARCHOUT 2>> $TESTOUT > +RC=$? > + > +if test $RC != 0 ; then > + echo "ldapsearch failed ($RC)!" > + test $KILLSERVERS != no && kill -HUP $KILLPIDS > + exit $RC > +fi > + > > > The error test case isn't useful here, but slapd.2.log can be examined to see > the behavior. > > It appears that there's a problem with this block of code in back-ldap/bind.c, > that starts at line 2489 in RE24:
This title is misleading. slapo-pcache doesn't forget anything. The point is that when slapo-pcache is configured to cache Binds, if a Bind is answerable from the cache then pcache answers it and the underlying backend doesn't ever see the Bind request. slapo-pcache is working as designed. back-ldap is also working as designed, in test020. In particular, it cannot do an authenticated connection to the remote backend unless you configure proxyAuthz or rebind-as-user and neither of those are set in the test020 config. Without either of these possibilities for providing authentication/authorization, it of course must connect anonymously to the remote. Also rebind-as-user won't work here since back-ldap only caches those credentials for the duration of one session. So, the only method that will work is to use proxyAuthz. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
