[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#3721) back-ldap/back-meta err=4 with saslauthd openldap 2.2.26



Full_Name: Andrew Reilly
Version: 2.2.26
OS: RH Linux ES 3.0
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (209.167.159.20)


When I point saslauthd directly at an openldap directory whether it is a master
or a slave it works, but if I point it at a back-ldap instance the result is an
err=4.  Now, from my reading err=4 occurs when a search exceeds the configured
number of returns but the search being performed by saslauthd only returns one
entry.  If I preform the exact same search via ldapsearch against the ldap-back
instance it works.  I have tested against  2.2.23 and 2.2.26.  The log files
listed below are from @(#) $OpenLDAP: slapd 2.2.26 (May  6 2005 11:18:53) $

A saslauthd query:

May 12 11:36:11 lnx-build slapd[19281]: conn=0 fd=10 ACCEPT from
IP=192.75.93.53:42290 (IP=192.75.93.41:389) 
May 12 11:36:11 lnx-build slapd[19281]: connection_get(10) 
May 12 11:36:11 lnx-build slapd[19281]: conn=0 op=0 BIND dn="" method=128 
May 12 11:36:11 lnx-build slapd[19281]: send_ldap_result: err=0 matched=""
text="" 
May 12 11:36:11 lnx-build slapd[19281]: conn=0 op=0 RESULT tag=97 err=0 text= 
May 12 11:36:11 lnx-build slapd[19281]: connection_get(10) 
May 12 11:36:11 lnx-build slapd[19281]: SRCH "dc=tor,dc=company,dc=com" 2 0
May 12 11:36:11 lnx-build slapd[19281]:     1 5 0 
May 12 11:36:11 lnx-build slapd[19281]:     filter: (uid=user) 
May 12 11:36:11 lnx-build slapd[19281]:     attrs:
May 12 11:36:11 lnx-build slapd[19281]:  
May 12 11:36:11 lnx-build slapd[19281]: conn=0 op=1 SRCH
base="dc=tor,dc=alias,dc=com" scope=2 deref=0 filter="(uid=user)" 
May 12 11:36:11 lnx-build slapd[19281]: query template of incoming query =
(uid=) 
May 12 11:36:11 lnx-build slapd[19281]: QUERY NOT ANSWERABLE 
May 12 11:36:11 lnx-build slapd[19281]: QUERY NOT CACHEABLE 
May 12 11:36:11 lnx-build slapd[19281]: [rw] searchBase:
"dc=tor,dc=company,dc=com" -> "dc=tor,dc=company,dc=com" 
May 12 11:36:11 lnx-build slapd[19281]: [rw] searchResult:
"uid=user,ou=People,dc=tor,dc=company,dc=com" ->
"uid=user,ou=People,dc=tor,dc=company,dc=com" 
May 12 11:36:11 lnx-build slapd[19281]: [rw] searchAttrDN: "active" -> "active"

May 12 11:36:11 lnx-build slapd[19281]: [rw] searchAttrDN:
"0000000000000000000000000000000000000000000000000000000000000000" ->
"0000000000000000000000000000000000000000000000000000000000000000" 
May 12 11:36:11 lnx-build slapd[19281]: [rw] searchAttrDN:
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" ->
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 
May 12 11:36:11 lnx-build slapd[19281]: send_ldap_result: err=4 matched=""
text="" 
May 12 11:36:11 lnx-build slapd[19281]: conn=0 op=1 SEARCH RESULT tag=101 err=4
nentries=1 text= 

A command line query of the same parameters:

May 12 11:42:54 lnx-build slapd[19281]: conn=1 fd=12 ACCEPT from
IP=192.75.20.195:51578 (IP=192.75.93.41:389) 
May 12 11:42:54 lnx-build slapd[19281]: connection_get(12) 
May 12 11:42:54 lnx-build slapd[19281]: conn=1 op=0 BIND dn="" method=128 
May 12 11:42:54 lnx-build slapd[19281]: send_ldap_result: err=0 matched=""
text="" 
May 12 11:42:54 lnx-build slapd[19281]: conn=1 op=0 RESULT tag=97 err=0 text= 
May 12 11:42:54 lnx-build slapd[19281]: connection_get(12) 
May 12 11:42:54 lnx-build slapd[19281]: SRCH "dc=tor,dc=company,dc=com" 2 0
May 12 11:42:54 lnx-build slapd[19281]:     0 0 0 
May 12 11:42:54 lnx-build slapd[19281]:     filter: (uid=areilly) 
May 12 11:42:54 lnx-build slapd[19281]:     attrs:
May 12 11:42:54 lnx-build slapd[19281]:  
May 12 11:42:54 lnx-build slapd[19281]: conn=1 op=1 SRCH
base="dc=tor,dc=company,dc=com" scope=2 deref=0 filter="(uid=user)" 
May 12 11:42:54 lnx-build slapd[19281]: query template of incoming query =
(uid=) 
May 12 11:42:54 lnx-build slapd[19281]: QUERY NOT ANSWERABLE 
May 12 11:42:54 lnx-build slapd[19281]: QUERY NOT CACHEABLE 
May 12 11:42:54 lnx-build slapd[19281]: [rw] searchBase:
"dc=tor,dc=company,dc=com" -> "dc=tor,dc=company,dc=com" 
May 12 11:42:54 lnx-build slapd[19281]: [rw] searchResult:
"uid=user,ou=People,dc=tor,dc=company,dc=com" ->
"uid=user,ou=People,dc=tor,dc=company,dc=com" 
May 12 11:42:54 lnx-build slapd[19281]: [rw] searchAttrDN: "active" -> "active"

May 12 11:42:54 lnx-build slapd[19281]: [rw] searchAttrDN:
"0000000000000000000000000000000000000000000000000000000000000000" ->
"0000000000000000000000000000000000000000000000000000000000000000" 
May 12 11:42:54 lnx-build slapd[19281]: [rw] searchAttrDN:
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" ->
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" 
May 12 11:42:54 lnx-build slapd[19281]: send_ldap_result: err=0 matched=""
text="" 
May 12 11:42:54 lnx-build slapd[19281]: conn=1 op=1 SEARCH RESULT tag=101 err=0
nentries=1 text= 
May 12 11:42:54 lnx-build slapd[19281]: connection_get(12) 
May 12 11:42:54 lnx-build slapd[19281]: conn=1 op=2 UNBIND 
May 12 11:42:54 lnx-build slapd[19281]: conn=1 fd=12 closed 

ldapsearch command and results:

ldapsearch -x -h "lnx-build.tor.company.com" -b "dc=tor,dc=company,dc=com"
uid=user
# extended LDIF
#
# LDAPv3
# base <dc=tor,dc=company,dc=com> with scope sub
# filter: uid=user
# requesting: ALL
#

# user, People, tor.company.com
dn: uid=user,ou=People,dc=tor,dc=company,dc=com

saslauthd logs in debug mode (excuse the time differences, the servers are not
synced):

May 12 11:51:07 lnx-dev saslauthd: saslauthd[27437] :rel_accept_lock : released
accept lock
May 12 11:51:07 lnx-dev saslauthd: saslauthd[27439] :get_accept_lock : acquired
accept lock
May 12 11:51:07 lnx-dev saslauthd[27437]: ldap_search_st() failed: Size limit
exceeded
May 12 11:51:07 lnx-dev saslauthd[27437]: do_auth         : auth failure:
[user=user] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
May 12 11:51:07 lnx-dev saslauthd: saslauthd[27437] :do_auth         : auth
failure: [user=user] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
May 12 11:51:07 lnx-dev saslauthd: saslauthd[27437] :do_request      : response:
NO

saslauthd.conf:

ldap_servers: ldap://lnx-build.tor.company.com/
ldap_search_base: dc=tor,dc=company,dc=com
ldap_auth_method: bind
ldap_filter: uid=%U