[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back-ldap and saslauthd err=4

Andrew Reilly wrote:

My organization has distributed our DIT across several openldap master
servers. To provide a view across the whole tree we have several
"central slaves" where all the masters are replicated to, and these
are fronted by a proxy cache using back-ldap for each central slave. This has been working quite well.

Recently I have been integrating an application that only supports
LDAP authentication via saslauthd.  Everything was humming along until
I have encountered an interesting error.  When I point saslauthd
directly at an ldap directory whether it is a master or a slave it
works, but if I point it at a back-ldap instance the result is an
err=4.  Now, from my reading err=4 occurs when a search exceeds the
configured number of returns but the search being performed by
saslauthd only returns one entry.  If I preform the exact same search
via ldapsearch against the ldap-back instance it works.

Any idea on what might be causing it, or how I might gather any useful
information on the cause?

What version(s) of OpenLDAP are you using, or have you tried? There might be/have been issues with counting the number of results returning from a search. I note that saslauthd might set a sizelimit of 1, to ensure that exactly one result is being returned, and back-ldap may be erroneously returning error 4, or anything of the kind. I suggest you enable server logging at level 256 + 4 and send the logs of both cases, i.e. contacting the server directly vs. contacting the proxy. I confirm that the current release (2.2.24) honors client-side sizelimit without returning an error if the number of entries returned is exactly the requested sizelimit either with back-bdb or back-ldap.


SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497