[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd-meta configuration details
- To: Howard Chu <hyc@symas.com>
- Subject: Re: slapd-meta configuration details
- From: Scott Koranda <skoranda@gmail.com>
- Date: Thu, 6 Dec 2012 22:51:42 -0600
- Cc: openldap-technical@openldap.org
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=6C/ur6Mum/kBKzLY91ngD6z4n+F29qyoKUoHtAvXSAU=; b=wlHowKtP1aNJ08LIxIO3uiJmiyJMAotBOmrgmnw3dXipuS/JqRF4pPI3njRUGGfz7+ e9/pX/4eZpAs21MlU+WdtREsKTX/vBVxkI0kJqXBuEcCN2alIS4G0WmMQl9v/ReeoedR 019ic+ehVAvEWMpNtTvj+Lh+y4UDea1IHjwtxZNXKrHDle3Mz9R2/t5jRd+Yd197JlE/ l7yUAn5UW7EyTs+njyBR32yntbPzG0K+5wjHii44wAV9yCzd05FZd+0N+cj/JivVKwMu qnInByDszjOOvqbIsWvSttM1/VIklOy89sXLLFeOwT7TFXpjWveX9H/JYrqV28SDimi2 OZHA==
- In-reply-to: <50C16513.5040404@symas.com>
- References: <20121207023902.GC22459@gravity.phys.uwm.edu> <50C16513.5040404@symas.com>
- User-agent: Mutt/1.5.20 (2009-06-14)
> Scott Koranda wrote:
> >Hello,
> >
> >As part of an evaluation and testing phase, on a Debian
> >Squeeze system using version 2.4.23 of OpenLDAP I successfully
> >configured and used the slapd-meta backend. The configuration
> >looked like this:
> >
> >database meta
> >suffix "dc=test,dc=myorg,dc=org"
> >
> >uri "ldapi:///o=external,dc=test,dc=myorg,dc=org"
> >
> >acl-authcDN uid=foswiki,ou=system,o=external,dc=test,dc=myorg,dc=org
> >acl-passwd passwd
> >idassert-bind bindmethod=simple
> > binddn="uid=foswiki,ou=system,o=external,dc=test,dc=myorg,dc=org"
> > credentials="passwd"
> > mode=self
> >
> >uri "ldapi:///o=internal,dc=test,dc=myorg,dc=org"
> >
> >acl-authcDN uid=foswiki,ou=system,o=external,dc=test,dc=myorg,dc=org
> >acl-passwd passwd
> >idassert-bind bindmethod=simple
> > binddn="uid=foswiki,ou=system,o=external,dc=test,dc=myorg,dc=org"
> > credentials="passwd"
> > mode=self
> >
> >To prepare for a production deployment I then compiled
> >OpenLDAP 2.4.33 using this set of configure options:
> >
> >./configure --prefix=/opt/openldap-2.4.33 --enable-slapd
> >--enable-cleartext --enable-rewrite --enable-bdb --enable-hdb
> >--enable-ldap --enable-meta --enable-rwm
> >
> >I attempted to use the same configuration for the slapd-meta
> >backend. My queries to slapd no longer returned anything and I
> >saw this in the debug ouput:
> >
> >50c15573 conn=1000 op=1 meta_search_dobind_init[0] mc=0x22c2da0: non-empty dn with empty cred; binding anonymously
> >50c15573 conn=1000 op=1 meta_search_dobind_init[1] mc=0x22c2da0: non-empty dn with empty cred; binding anonymously
> >
> >I interpret this to mean that the slapd-meta backend is
> >deciding it does not have a credential to use and is binding
> >anonymously to the proxied services.
> >
> >How should I change my configuration above so that the most
> >recent version of OpenLDAP will be able to bind to the proxied
> >services in the way that happened with version 2.4.23?
> >
> >Note that I installed versions between 2.4.23 and 2.4.33
> >(bisection) and found that the change from 2.4.25 to 2.4.26
> >causes the configuration above to go from "working" to "not
> >working". Versions 2.4.26 and above that I tested result in
> >the "non-empty dn with empty cred" in the debug output.
>
> The only relevant change to back-meta from 2.4.25 to .26 is for
> ITS#6909. Perhaps you can retest your config with that patch
> reverted and see how it goes.
>
I read ITS#6909 but I do not see the actual patch that was
applied. A patch was provided by the initial reporter but it
looks like a different solution was implemented.
So I compared the file server/slapd/back-meta/search.c from
versions 2.4.25 and 2.4.33 and edited 2.4.33 so that now the
only difference between it and the 2.4.25 version is
604,606c605,606
< rc = ldap_back_map_attrs( &mt->mt_rwmap.rwm_at,
< op->ors_attrs, BACKLDAP_MAP,
&mapped_attrs,
< op->o_tmpmemctx );
---
> rc = ldap_back_map_attrs( op, &mt->mt_rwmap.rwm_at,
> op->ors_attrs, BACKLDAP_MAP,
> &mapped_attrs );
I cannot easily revert that change since it looks like the definition
of the function ldap_back_map_attrs() changed.
I recompiled 2.4.33 with this edited version of search.c and
tested but unfortunately I still see the "non-empty dn with
empty cred" message in the debug ouput and it appears that the
meta backend is still attempting to bind anonymously.
Scott