Output differs when searching via translucent proxy

["M. P." <kisscoolandthegangbang@hotmail.fr>]

Hello all,

We have an installation of openldap like this: master <- slave <- 
translucent proxy. All the installation is on debian Jessie 8.2 with 
slapd version 2.4.40+dfsg-1+deb8u1.

When searching/binding with ldapsearch everything seems ok. I mean I 
have the results I expect.

We have an application called CAS to authenticate users on web 
appplications and there is where things start to be strange. When 
configuring CAS to communicate with the slave, there is no problem, 
users can authenticate without issue. But when CAS is configured to 
communicate with the translucent proxy, there is not possible for users 
to be authenticated.

I looked a different places, changed different parameters playing with 
ldap protocol, search reference responses, automatic referral chasing, 
... but can't make it work.

In the logs I have this:

ldapsearch request: the output is ok

from client to translucent proxy:

slapd[8845]: conn=1019 fd=13 ACCEPT from IP=10.93.64.180:57730 
(IP=0.0.0.0:389)
slapd[8845]: conn=1019 op=0 BIND 
dn="uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com" method=128
slapd[8845]: conn=1019 op=0 BIND 
dn="uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com" mech=SIMPLE ssf=0
slapd[8845]: conn=1019 op=0 RESULT tag=97 err=0 text=
slapd[8845]: conn=1019 op=1 SRCH base="ou=people,dc=domain,dc=com" 
scope=2 deref=3 filter="(uid=myuser)"
slapd[8845]: conn=1019 op=1 SRCH attr=1.1
slapd[8845]: conn=1019 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[8845]: conn=1019 op=2 UNBIND
slapd[8845]: conn=1019 fd=13 closed

from tranlucent proxy to slave:

slapd[6491]: conn=1759 fd=25 ACCEPT from IP=10.93.64.207:37513 
(IP=0.0.0.0:389)
slapd[6491]: conn=1759 op=0 [IP=10.93.64.180 
USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] BIND 
dn="uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com" method=128
slapd[6491]: conn=1759 op=0 [IP=10.93.64.180 
USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] BIND 
dn="uid=cas-auth,ou=SI,ou=Access,dc=domain,dc=com" mech=SIMPLE ssf=0
slapd[6491]: conn=1759 op=0 [IP=10.93.64.180 
USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] RESULT tag=97 
err=0 text=
slapd[6491]: conn=1759 op=1 [IP=10.93.64.180 
USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] SRCH 
base="ou=people,dc=domain,dc=com" scope=2 deref=3 filter="(uid=myuser)"
slapd[6491]: conn=1759 op=1 [IP=10.93.64.180 
USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] SRCH attr=* +
slapd[6491]: conn=1759 op=1 [IP=10.93.64.180 
USERNAME=uid=cas-auth,ou=SI,ou=access,dc=domain,dc=com] SEARCH RESULT 
tag=101 err=0 nentries=1 text=
slapd[6491]: conn=1759 op=2 UNBIND
slapd[6491]: conn=1759 fd=25 closed


CAS request: I don't have the output I expect

from client to translucent proxy:

slapd[8845]: conn=1017 fd=13 ACCEPT from IP=10.93.64.180:57109 
(IP=0.0.0.0:389)
slapd[8845]: conn=1017 op=0 BIND 
dn="uid=cas-auth,ou=si,ou=access,dc=domain,dc=com" method=128
slapd[8845]: conn=1017 op=0 BIND 
dn="uid=cas-auth,ou=si,ou=access,dc=domain,dc=com" mech=SIMPLE ssf=0
slapd[8845]: conn=1017 op=0 RESULT tag=97 err=0 text=
slapd[8845]: conn=1017 op=1 SRCH base="ou=People,dc=domain,dc=com" 
scope=2 deref=3 filter="(uid=myuser)"
slapd[8845]: conn=1017 op=1 SRCH attr=1.1
slapd[8845]: conn=1017 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[8845]: conn=1017 fd=13 closed (connection lost)

from tranlucent proxy to slave:

slapd[6491]: conn=1747 fd=13 ACCEPT from IP=10.93.64.207:35881 
(IP=0.0.0.0:389)
slapd[6491]: conn=1747 op=0 [IP=10.93.64.180 
USERNAME=uid=cas-auth,ou=si,ou=access,dc=domain,dc=com] BIND 
dn="uid=cas-auth,ou=si,ou=access,dc=domain,dc=com" method=128
slapd[6491]: conn=1747 op=0 [IP=10.93.64.180 
USERNAME=uid=cas-auth,ou=si,ou=access,dc=domain,dc=com] BIND 
dn="uid=cas-auth,ou=SI,ou=Access,dc=domain,dc=com" mech=SIMPLE ssf=0
slapd[6491]: conn=1747 op=0 [IP=10.93.64.180 
USERNAME=uid=cas-auth,ou=si,ou=access,dc=domain,dc=com] RESULT tag=97 
err=0 text=
slapd[6491]: conn=1747 op=1 UNBIND
slapd[6491]: conn=1747 fd=13 closed


The configuration part relative to translucent:

# Entry 1: olcOverlay={3}translucent,olcDatabase={2}mdb,cn=config
dn: olcOverlay={3}translucent,olcDatabase={2}mdb,cn=config
objectclass: olcConfig
objectclass: olcOverlayConfig
objectclass: olcTranslucentConfig
objectclass: top
olcoverlay: {3}translucent
olctranslucentbindlocal: TRUE

# Entry 2: 
olcDatabase={0}ldap,olcOverlay={3}translucent,olcDatabase={2}m...
dn: 
olcDatabase={0}ldap,olcOverlay={3}translucent,olcDatabase={2}mdb,cn=conf
 ig
objectclass: olcConfig
objectclass: olcLDAPConfig
objectclass: olcTranslucentDatabase
objectclass: olcDatabaseConfig
olcdatabase: {0}ldap
olcdbchasereferrals: TRUE
olcdbidassertauthzfrom: {0}*
olcdbidassertbind: bindmethod="simple" 
binddn="uid=roaccess,ou=access,dc=dom
 ain,dc=com" credentials="hideme" mode="self"
olcdbsessiontrackingrequest: TRUE
olcdburi: ldap://ldap-data.domain.it

I do not really know where to look else. I'll continue to try different 
things to make it work but any idea/suggestion/correction is welcome.

Thank you in advance for your time.

--
------------

M. P.