Re: (ITS#5513) back-ldap+ppolicy bind assertion failure

[ando@sys-net.it]

mbackes@symas.com wrote:

> A basic back-ldap configuration with the password policy overlay stacked on top
> results in an assertfail for the second bind.  e.g.  given a working (possibly
> empty db) on ldap://localhost:1389/...
> 
> include ...../core.schema
> include ...../ppolicy.schema
> 
> modulepath .....
> moduleload back_ldap.la
> moduleload ppolicy.la
> 
> database ldap
> suffix ""
> uri ldap://localhost:1389/
> 
> After performing a successful remote bind, the next bind attempt halts the
> back-ldap directory with:
> 
> slapd: bind.c:905: ldap_back_getconn: Assertion `( li->li_idassert.si_flags &
> (0x02U) )' failed.
> 
> where 0x02U here is LDAP_BACK_AUTH_OVERRIDE.
> 
> This happens under both OpenLDAP 2.3 and 2.4.

I've been able to reproduce the issue, and I think it's solved 
(back-ldap/search.c 1.235 -> 1.236); however I'm afraid I didn't 
understand all the details of your configuration, so I might have tested 
something different.

The bug was in ldap_back_entry_get() setting up a connection based on 
the o_tag field, which is that of the current operation (a bind, in your 
case).  I fixed it by always re-setting the tag to LDAP_REQ_SEARCH, 
under the assumption that ldap_back_entry_get() doesn't need to know 
what operation required the entry to be looked up.

Please test and report; in case of further issues, I might need the full 
slapd.conf of the proxy (unless the above is all, of course...)

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------