[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5513) back-ldap+ppolicy bind assertion failure
mbackes@symas.com wrote:
> A basic back-ldap configuration with the password policy overlay stacked on top
> results in an assertfail for the second bind. e.g. given a working (possibly
> empty db) on ldap://localhost:1389/...
>
> include ...../core.schema
> include ...../ppolicy.schema
>
> modulepath .....
> moduleload back_ldap.la
> moduleload ppolicy.la
>
> database ldap
> suffix ""
> uri ldap://localhost:1389/
>
> After performing a successful remote bind, the next bind attempt halts the
> back-ldap directory with:
>
> slapd: bind.c:905: ldap_back_getconn: Assertion `( li->li_idassert.si_flags &
> (0x02U) )' failed.
>
> where 0x02U here is LDAP_BACK_AUTH_OVERRIDE.
>
> This happens under both OpenLDAP 2.3 and 2.4.
I've been able to reproduce the issue, and I think it's solved
(back-ldap/search.c 1.235 -> 1.236); however I'm afraid I didn't
understand all the details of your configuration, so I might have tested
something different.
The bug was in ldap_back_entry_get() setting up a connection based on
the o_tag field, which is that of the current operation (a bind, in your
case). I fixed it by always re-setting the tag to LDAP_REQ_SEARCH,
under the assumption that ldap_back_entry_get() doesn't need to know
what operation required the entry to be looked up.
Please test and report; in case of further issues, I might need the full
slapd.conf of the proxy (unless the above is all, of course...)
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati@sys-net.it
---------------------------------------