[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4309) back-meta bind ok on target instead bad credential

On Fri, 2006-01-06 at 11:12 +0000, germanlinx@yahoo.fr wrote:
> In back-meta backend , when I try a bind on target with a dn of target , meta
> answers ok with any password (false or good) even the target tells 'invalid
> credential'

There might be issues, but the rationale behind the naive "distributed"
bind that back-meta implements is that when there's more than one target
that could contain the bindDN, they are all tried and as soon as one
succeeds the bind is considered successful, under the assumption that in
any case, in a well-designed distributed environment, the bindDN will
only be present in one target.  So it is reasonable, in those cases,
that some of the targets return invalidCredentials, as this is the
expected response when the bindDN does not exist.  Of course, it is not
correct to return success if none of the targets reported success.  Is
this the case you're suggesting?

> I add this patch on bind.c of this backend :
> 246,247c246,247
> <       /* if ( rc != LDAP_SUCCESS ) { */
> <          if ( rs->sr_err != LDAP_SUCCESS ) {   /* modif du 01-12-2005 */
> ---
> >       if ( rc != LDAP_SUCCESS ) {
> >
> in order to correct the behavior 

This patch is unusable; please generate one with "diff -u <old> <new>".


Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it