[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8555) slapo-pcache forgets credentials for binddn
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8555) slapo-pcache forgets credentials for binddn
- From: hyc@symas.com
- Date: Thu, 05 Jan 2017 12:47:59 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
quanah@openldap.org wrote:
> Full_Name: Quanah Gibson-Mount
> Version: 2.4.44
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (47.208.148.26)
>
>
> When slapo-pcache is set up to use the user credentials for binding, the first
> bind will succeed accordingly, but subsequent binds will fall back to anonymous,
> as slapd logs that the credentials are not found:
>
> 58645256 conn=1024 op=1 ldap_back_dobind_int: DN="cn=james a jones 1,ou=alumni
> association,ou=people,dc=example,dc=com" without creds, binding
> anonymouslyldap_sasl_bind
>
>
> This is trivial to reproduce by making a slight modification to
> test020-proxycache:
>
> index f4e5cb7..105b911 100755
> --- a/tests/scripts/test020-proxycache
> +++ b/tests/scripts/test020-proxycache
> @@ -645,6 +645,22 @@ if test $RC != 4 ; then
> test $KILLSERVERS != no && kill -HUP $KILLPIDS && wait
> exit 1
> fi
> +
> +CNT=`expr $CNT + 1`
> +FILTER="(sn=Jon)"
> +ATTRS="cn mail telephonenumber"
> +echo "Query $CNT: (Result should not be cached)"
> +echo "# Query $CNT: (Result should not be cached)" >> $SEARCHOUT
> +$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT2 \
> + -D "$USERDN" -w "$UPASSWD" "$FILTER" $ATTRS >> $SEARCHOUT 2>> $TESTOUT
> +RC=$?
> +
> +if test $RC != 0 ; then
> + echo "ldapsearch failed ($RC)!"
> + test $KILLSERVERS != no && kill -HUP $KILLPIDS
> + exit $RC
> +fi
> +
>
>
> The error test case isn't useful here, but slapd.2.log can be examined to see
> the behavior.
>
> It appears that there's a problem with this block of code in back-ldap/bind.c,
> that starts at line 2489 in RE24:
This title is misleading. slapo-pcache doesn't forget anything. The point is
that when slapo-pcache is configured to cache Binds, if a Bind is answerable
from the cache then pcache answers it and the underlying backend doesn't ever
see the Bind request.
slapo-pcache is working as designed.
back-ldap is also working as designed, in test020. In particular, it cannot do
an authenticated connection to the remote backend unless you configure
proxyAuthz or rebind-as-user and neither of those are set in the test020
config. Without either of these possibilities for providing
authentication/authorization, it of course must connect anonymously to the remote.
Also rebind-as-user won't work here since back-ldap only caches those
credentials for the duration of one session. So, the only method that will
work is to use proxyAuthz.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/