[Date Prev][Date Next]
Re: (ITS#7678) Operational Error propagated from back-meta
On 2 Sep 2013, at 04:15 PM, Howard Chu <email@example.com> wrote:
> firstname.lastname@example.org wrote:
>> Full_Name: Matt Hamilton
>> Version: 2.4.36
>> OS: Linux
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (126.96.36.199)
>> I am using the meta backend to query multiple LDAP (AD) backends. This is to
>> consolidate several directories in different departments into one. We attempt
>> both simple binds with username/password and also anon binds to look up user
> That doesn't make much sense, since AD disallows anonymous Binds.
Sorry, I wasn't clear. I mean we do both anon and simple binds to OpenLDAP. Hence why the config has credentials in it to use against the backends if not supplied by the client.
>> At the moment, trying to do an authenticated simple bind to slapd caused an
>> Operational Error to be propagated to the client regardless of the setting of
>> 'onerr'. Even when a result is successfully found. This is due to one server in
>> the backend succeeding and the other returning an operational error due to an
>> invalid bind (as would be expected as the credentials supplied from the client
>> will only work with one of the backends).
>> Looking at servers/slapd/back-meta/search.c at around line 1903 it appears that
>> the code is not checking for 'Operational Error' as a specific case above and so
>> uses the default case (line 1665). Hence sres is set to 'Operational Error' too
>> at line 1934.
> back-meta/search.c has nothing to do with Binds. Not sure what you're trying to demonstrate there.
I'm not talking about binds there. I'm talking about errors being propagated.
>> The server should be changing this to LDAP_SUCCESS somewhere in that logic
>> unless META_BACK_ONERR_REPORT.
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/