[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8555) slapo-pcache forgets credentials for binddn

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8555) slapo-pcache forgets credentials for binddn
From: hyc@symas.com
Date: Thu, 05 Jan 2017 12:47:59 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

quanah@openldap.org wrote:
> Full_Name: Quanah Gibson-Mount
> Version: 2.4.44
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (47.208.148.26)
>
>
> When slapo-pcache is set up to use the user credentials for binding, the first
> bind will succeed accordingly, but subsequent binds will fall back to anonymous,
> as slapd logs that the credentials are not found:
>
> 58645256 conn=1024 op=1 ldap_back_dobind_int: DN="cn=james a jones 1,ou=alumni
> association,ou=people,dc=example,dc=com" without creds, binding
> anonymouslyldap_sasl_bind
>
>
> This is trivial to reproduce by making a slight modification to
> test020-proxycache:
>
> index f4e5cb7..105b911 100755
> --- a/tests/scripts/test020-proxycache
> +++ b/tests/scripts/test020-proxycache
> @@ -645,6 +645,22 @@ if test $RC != 4 ; then
>         test $KILLSERVERS != no && kill -HUP $KILLPIDS && wait
>         exit 1
>  fi
> +
> +CNT=`expr $CNT + 1`
> +FILTER="(sn=Jon)"
> +ATTRS="cn mail telephonenumber"
> +echo "Query $CNT: (Result should not be cached)"
> +echo "# Query $CNT: (Result should not be cached)" >> $SEARCHOUT
> +$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT2 \
> +       -D "$USERDN" -w "$UPASSWD" "$FILTER" $ATTRS >> $SEARCHOUT 2>> $TESTOUT
> +RC=$?
> +
> +if test $RC != 0 ; then
> +       echo "ldapsearch failed ($RC)!"
> +       test $KILLSERVERS != no && kill -HUP $KILLPIDS
> +       exit $RC
> +fi
> +
>
>
> The error test case isn't useful here, but slapd.2.log can be examined to see
> the behavior.
>
> It appears that there's a problem with this block of code in back-ldap/bind.c,
> that starts at line 2489 in RE24:

This title is misleading. slapo-pcache doesn't forget anything. The point is 
that when slapo-pcache is configured to cache Binds, if a Bind is answerable 
from the cache then pcache answers it and the underlying backend doesn't ever 
see the Bind request.

slapo-pcache is working as designed.

back-ldap is also working as designed, in test020. In particular, it cannot do 
an authenticated connection to the remote backend unless you configure 
proxyAuthz or rebind-as-user and neither of those are set in the test020 
config. Without either of these possibilities for providing 
authentication/authorization, it of course must connect anonymously to the remote.

Also rebind-as-user won't work here since back-ldap only caches those 
credentials for the duration of one session. So, the only method that will 
work is to use proxyAuthz.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#8557) mdb_put may cause a cursor malfunction
Next by Date: (ITS#8558) LMDB mdb_load plain text
Index(es):
- Chronological
- Thread