[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7678) Operational Error propagated from back-meta

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7678) Operational Error propagated from back-meta
From: matth@netsight.co.uk
Date: Mon, 2 Sep 2013 17:44:07 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

On 2 Sep 2013, at 04:15 PM, Howard Chu <hyc@symas.com> wrote:

> matth@netsight.co.uk wrote:
>> Full_Name: Matt Hamilton
>> Version: 2.4.36
>> OS: Linux
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (213.133.64.253)
>> 
>> 
>> I am using the meta backend to query multiple LDAP (AD) backends. This is to
>> consolidate several directories in different departments into one. We attempt
>> both simple binds with username/password and also anon binds to look up user
>> information.
> 
> That doesn't make much sense, since AD disallows anonymous Binds.

Sorry, I wasn't clear. I mean we do both anon and simple binds to OpenLDAP. Hence why the config has credentials in it to use against the backends if not supplied by the client. 

>> At the moment, trying to do an authenticated simple bind to slapd caused an
>> Operational Error to be propagated to the client regardless of the setting of
>> 'onerr'. Even when a result is successfully found. This is due to one server in
>> the backend succeeding and the other returning an operational error due to an
>> invalid bind (as would be expected as the credentials supplied from the client
>> will only work with one of the backends).
>> 
>> Looking at servers/slapd/back-meta/search.c at around line 1903 it appears that
>> the code is not checking for 'Operational Error' as a specific case above and so
>> uses the default case (line 1665). Hence sres is set to 'Operational Error' too
>> at line 1934.
> 
> back-meta/search.c has nothing to do with Binds. Not sure what you're trying to demonstrate there.

I'm not talking about binds there. I'm talking about errors being propagated. 

-Matt


>> 
>> The server should be changing this to LDAP_SUCCESS somewhere in that logic
>> unless META_BACK_ONERR_REPORT.
> 
> -- 
>  -- Howard Chu
>  CTO, Symas Corp.           http://www.symas.com
>  Director, Highland Sun     http://highlandsun.com/hyc/
>  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#7678) Operational Error propagated from back-meta
Next by Date: RE: (ITS#7673) rwm and bad ACL evaluation
Index(es):
- Chronological
- Thread