Full_Name: Neil Garratt Version: 2.4.14 OS: Centos 5.2 URL: Submission from: (NULL) (196.35.158.180) I'm testing OpenLDAP 2.4.14 on Centos 5.2, used as a reverse proxy to AD. When slapd is run with debugging disabled (or set to 0), search requests throw the following error: DSID-0C090627: In order to perform this operation a successful bind must be completed on the connection. When run with any other debug value, it returns the results correctly. In both cases, the logs show a successful bind with the acl-bind user, the search finds the correct result, and acl's show access granted to read. The only difference is what is returned. If I hammer the requests through, I do occasionally get the correct answer when using -d 0, and I also occasionally get the error with -d 1. http://www.nu.co.za/slapd/slapd.conf http://www.nu.co.za/slapd/d0-ldapsearch.txt http://www.nu.co.za/slapd/d0-slapdlog.txt http://www.nu.co.za/slapd/d1-ldapsearch.txt http://www.nu.co.za/slapd/d1-slapdlog.txt The d0 files are from slapd started with -d 0 (failing) The d1 files are from slapd started with -d 1 (working)
ngarratt@gmail.com wrote: > I'm testing OpenLDAP 2.4.14 on Centos 5.2, used as a reverse proxy to AD. When > slapd is run with debugging disabled (or set to 0), search requests throw the > following error: > > DSID-0C090627: In order to perform this operation a successful bind must be > completed on the connection. > > When run with any other debug value, it returns the results correctly. In both > cases, the logs show a successful bind with the acl-bind user, the search finds > the correct result, and acl's show access granted to read. The only difference > is what is returned. > > If I hammer the requests through, I do occasionally get the correct answer when > using -d 0, and I also occasionally get the error with -d 1. > > http://www.nu.co.za/slapd/slapd.conf > http://www.nu.co.za/slapd/d0-ldapsearch.txt > http://www.nu.co.za/slapd/d0-slapdlog.txt > http://www.nu.co.za/slapd/d1-ldapsearch.txt > http://www.nu.co.za/slapd/d1-slapdlog.txt > > The d0 files are from slapd started with -d 0 (failing) > The d1 files are from slapd started with -d 1 (working) The problem seems to be not so repeatable. First of all, the right response is the error, since it fails while chasing referrals, and you didn't instruct it to chase referrals with authentication. Moreover, I've set up a system that mimics your setup, and the host containing the referred object is always returning the error, but the proxy is presenting it only occasionally. So the proxy's behavior looks erratic, and this is a bug, but your configuration looks broken. I'll look at the bug; in the meanwhile, you may want to fix your configuration by adding chase-referrals no overlay chain chain-uri <the referred URI with no DN> chain-idassert-bind <info to allow proxyauthz of users> # ... See slapo-chain for details. Another option is to use chase-referrals no rebind-as-user yes but I suspect it's broken and, in any case, it does not allow you to control what hosts are actually given the user's credentials, or to proxyauthz as. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
changed notes
> I'll look at the bug; in the meanwhile, you may want to fix your > configuration by adding > > chase-referrals no > > overlay chain > chain-uri <the referred URI with no DN> > chain-idassert-bind <info to allow proxyauthz of users> > # ... > > See slapo-chain for details. Another option is to use > > chase-referrals no > rebind-as-user yes > Thanks Pierangelo The fact that it worked under debug mode was throwing me off. Referrals have been fixed and it's working as expected now. Neil
erratic behavior chasing referrals; libldap?
moved from Incoming to Software Bugs
suspending, need valid configs and more detailed information about underlying issue.
likely also already fixed in 2.5