[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6711) Problems with ppolicy_forward_updates and starttls with certificate-based auth

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6711) Problems with ppolicy_forward_updates and starttls with certificate-based auth
From: hyc@symas.com
Date: Mon, 28 Feb 2011 09:57:36 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Kartik Subbarao wrote:
> I'd like to add one clarification to this message. I named the attached
> test script that illustrates the two RESULT messages problem
> test099-ppolicy-update, per Howard's previous advice not to duplicate
> existing names. But I just realized that this script relies on the same
> data files that I previously submitted (slapd-ppolicy.conf,
> ppolicy.ldif) so when running this script please ensure that those files
> are in place.

Right, no problem. I've run your updated script against HEAD and see no 
errors, nor is there a duplicate result sent for the Bind operation.

There's a config error because back-ldap in HEAD now always requires the 
binddn to be set in the idassert-bind directive. I have a feeling that this 
new requirement is bogus, and I just patched your script to set binddn="" to 
get around it for the moment.

> Thanks,
>
> 	-Kartik
>
> On 02/02/2011 11:50 AM, Kartik Subbarao wrote:
>>>> Another problem is that bind operations to the consumer server start to
>>   >>  return two result messages -- one with the error code of the chained
>>   >>  operation, and one with the error code of the bind operation.
>>
>> I'm continuing to see this problem, even after I fix the acl-bind and
>> the 'manage' ACL configuration. See the attached for an updated test
>> script that illustrates the problem -- I've added a bind with an
>> incorrect password which should return 49, but instead is returning 0 to
>> the client.
>>
>> The last line of output from the test script is:
>>
>> ldap bind operation returned 0, expected 49
>>
>> For the relevant operation in slapd.2.log, I see the following:
>>
>> conn=1003 op=0 RESULT tag=103 err=0 text=
>> [...]
>> conn=1003 op=0 RESULT tag=97 err=49 text=
>>
>> slapd is returning two RESULT messages for the BIND operation. Error 0
>> seems to be from the successful chained modification of the
>> pwdFailureTime attribute, and Error 49 seems to be for the incorrect
>> password.
>>
>> -Kartik
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#6845) sortvals oddities - with more information
Next by Date: Re: (ITS#6817) idassert-bind with SASL issues
Index(es):
- Chronological
- Thread