[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7678) Operational Error propagated from back-meta

To: openldap-its@OpenLDAP.org
Subject: (ITS#7678) Operational Error propagated from back-meta
From: matth@netsight.co.uk
Date: Mon, 2 Sep 2013 14:48:42 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Matt Hamilton
Version: 2.4.36
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (213.133.64.253)


I am using the meta backend to query multiple LDAP (AD) backends. This is to
consolidate several directories in different departments into one. We attempt
both simple binds with username/password and also anon binds to look up user
information.

database	meta
suffix		"DC=hscic,DC=nhs,DC=uk"
rootdn		"DC=hscic,DC=nhs,DC=uk"
chase-referrals no
norefs yes

uri 		"ldap://dc1lv.npfit.nhs.uk/DC=hscic,DC=nhs,DC=uk";
"ldap://dc2lv.npfit.nhs.uk"; "ldap://dc1dr.npfit.nhs.uk";
suffixmassage	"DC=hscic,DC=nhs,DC=uk" "OU=Accounts - Active Users, OU=routine
objects, DC=npfit, DC=nhs, DC=uk"
idassert-bind bindmethod=simple 
	      binddn="CN=webuser,OU=Surnames Q to Z,OU=Accounts - Active
Users,OU=Routine Objects,DC=npfit,DC=nhs,DC=uk" 
	      credentials="secret1"
	      mode=self
idassert-authzFrom      "dn:*"

uri 		"ldap://ts-l-dci-350.ic.green.net/DC=hscic,DC=nhs,DC=uk";
"ldap://ts-l-dci-344.ic.green.net"; "ldap://hg-l-dci-332.ic.green.net";
suffixmassage	"DC=hscic,DC=nhs,DC=uk" "OU=HSCIC,DC=ic,DC=Green,DC=Net"
idassert-bind bindmethod=simple 
	      binddn="CN=z-CFHimport,OU=Service
Accounts,OU=Administration,DC=ic,DC=Green,DC=Net" 
	      credentials="secret2"
	      mode=self
idassert-authzFrom      "dn:*"

At the moment, trying to do an authenticated simple bind to slapd caused an
Operational Error to be propagated to the client regardless of the setting of
'onerr'. Even when a result is successfully found. This is due to one server in
the backend succeeding and the other returning an operational error due to an
invalid bind (as would be expected as the credentials supplied from the client
will only work with one of the backends).

Looking at servers/slapd/back-meta/search.c at around line 1903 it appears that
the code is not checking for 'Operational Error' as a specific case above and so
uses the default case (line 1665). Hence sres is set to 'Operational Error' too
at line 1934.

The server should be changing this to LDAP_SUCCESS somewhere in that logic
unless META_BACK_ONERR_REPORT.

Prev by Date: Re: (ITS#7673) rwm and bad ACL evaluation
Next by Date: (ITS#7679) Problem with overlay dynlist
Index(es):
- Chronological
- Thread