[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: proxycache with referral

To: "Jay zh" <jayzh@hotmail.com>
Subject: Re: proxycache with referral
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Thu, 11 Nov 2004 10:25:02 +0100 (CET)
Cc: openldap-software@OpenLDAP.org
Importance: Normal
In-reply-to: <BAY18-F18FRJrzdDW6l0005a443@hotmail.com>
References: <BAY18-F18FRJrzdDW6l0005a443@hotmail.com>
User-agent: SquirrelMail/1.4.3a-1

I think your problem is in servers/slapd/back-ldap/bind.c and it is not
directly related to referrals or rebind.  When ldap_back_getconn() is
called by back_ldap_search(), when any overlay is configured, the test
(op->o_bd == op->o_conn->c_authz_backend) fails because the "op->o_bd"
field is now a temporary object instead of the real database data.  This
is required by the overlay mechanism.  As a result, ldap_back_getconn()
causes an anonymous bind to take place.

ldap_back_getconn( Operation *op, SlapReply *rs )
{
        struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private;
        struct ldapconn *lc, lc_curr;
        LDAP            *ld;
        int             is_priv = 0;

        /* Searches for a ldapconn in the avl tree */

        /* Explicit binds must not be shared */
        if ( op->o_tag == LDAP_REQ_BIND
                || ( op->o_conn && op->o_bd == op->o_conn->c_authz_backend
) )

I think this is not the intended behavior, and may indicate a problem in
the current overlay design.  As such, I suggest you file an ITS
(http://www.openldap.org/its/ with guidelines at
http://www.openldap.org/devel/contributing.html) including my analysis if
you think it is correct.

p.

> Hi:
>
> Version: 2.2.18
>
>     I build a server for LDAP proxy cache. My destination server does not
> allow anonymous binding. If I use LDAP backend only and do not set
> proxycache overlay, it's OK. But if I enable proxycache overlay, there is
> an
> error. After allowing anonymous binding, the error disappears.
>
>     The error 7 means Authentication method not supported because I do not
> allow anonymous binding.
>
> ldap_chase_referrals
> read1msg:  V2 referral chased, mark request completed, id = 1
> new result:  res_errno: 7, res_error: <>, res_matched: <>
> read1msg:  0 new referrals
> read1msg:  mark request completed, id = 1
> request 1 done
> res_errno: 7, res_error: <>, res_matched: <>
>
>     Does chasing referral need to allow anonymous binding? What's the
> different between using rebind-as-user and not using it in slapd.conf? The
> man page said that bind credentials are rememberd for rebind when chasing
> referrals. If I don't set this, will chasing referrals do anonymous
> binding?
> I have set it, but the error is the same. How do I solve this problem
> except
> allowing anmoymous binding?
>
>     Thanks.
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it's FREE!
> http://messenger.msn.com/
>
>


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Prev by Date: Re: Subordinate ACL question
Next by Date: Re: Indexing problems
Index(es):
- Chronological
- Thread