[Date Prev][Date Next] [Chronological] [Thread] [Top]

Question regarding slapo-pcache

To: openldap-technical@openldap.org
Subject: Question regarding slapo-pcache
From: Philippe <dqbbetiegaiaabi4aakegqi5cvtxo@protected32.unixadm.org>
Date: Mon, 13 Jan 2014 19:18:40 +0100
User-agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.2.0

Hi everyone,

I'm setting up an openldap server that proxies _and_ caches everythingfrom other servers (OpenLDAP and AD, that's what the meta database is for).

As for now proxying and caching data works fine but I'm unable to getcredentials cached. How is pcacheBind supposed to work?


This is my setup so far:

--%snip%--
# slapd.conf
include /some/schemas/..

sizelimit unlimited

moduleload back_bdb
moduleload back_ldap
moduleload back_meta
moduleload pcache


database ldap
suffix "dc=xyz,dc=de"
rootdn "cn=sys,dc=xyz,dc=de"

uri "ldap://10.0.0.1"; # the ldap server I'm talking to
chase-referrals yes
rebind-as-user yes

overlay pcache
pcache bdb 999999 2 999 300
directory /var/lib/ldap-cache
cachesize 1024
index objectClass eq,pres
index uidNumber,gidNumber eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uid,memberUid eq,pres,sub
index uniqueMember eq,pres

pcacheMaxQueries 999999
pcacheOffline false
pcachePersist true

pcacheAttrset 0 cn uid objectclass userpassword sn mail memberof displayname
pcacheTemplate (cn=) 0 3600

pcacheAttrset 1 cn uid
pcacheTemplate (cn=) 1 3600
pcacheBind (cn=) 1 3600 sub dc=xyz,dc=de

database meta
suffix "dc=de"

uri "ldap://localhost/dc=xyz,dc=de";
idassert-bind bindmethod=simple
  binddn="cn=sys,dc=xyz,dc=de"
  credentials="somecredentials"

chase-referrals yes
rebind-as-user yes
--%snip%--

Now I'm running some queries using ldapsearch and watching the trafficvia tcpdump.

As far as I can tell the requested attributes are cached, the remoteldap server is only asked once about the requested data.But even when the data is already cached the openldap server still triesto bind to the remote server. Which is unfortunate since I'm trying tocatch network outages with the caching proxy.


Example:

$ ldapsearch -x -H ldap://localhost -D cn=me,ou=users,dc=xyz,dc=de -W -b dc=xyz,dc=de 'cn=foo' mail

- first attempt

tcpdump shows: bind, search of cn uid objectclass userpassword sn mailmemberof, and the result


- second attempt, same command
tcpdump shows: bind and that's all. The result are delivered from cache.


I tried other filter masks, too, which lead to different results:

--%snip%--
pcacheAttrset 0 *
pcacheTemplate (cn=) 0 3600
pcacheBind (cn=) 0 3600 sub dc=xyz,dc=de
--%snip%--

In this case the remote server isn't queried anymore after the secondattempt of the command above (which is good), but when trying to searchfor data that hasn't been cached yet, openldap tries to bind anonymouslyto the remote server (which is bad, because it won't work).


Syslog tells me:

ldap_back_dobind_int: DN="cn=me,ou=users,dc=xyz,dc=de" without creds, binding anonymously


Any clues?


Kind regards,

Philippe

Prev by Date: Antw: Re: mdb expected growth
Next by Date: RE: mdb expected growth
Index(es):
- Chronological
- Thread