[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-meta configuration details



> Scott Koranda wrote:
> >Hello,
> >
> >As part of an evaluation and testing phase, on a Debian
> >Squeeze system using version 2.4.23 of OpenLDAP I successfully
> >configured and used the slapd-meta backend. The configuration
> >looked like this:
> >
> >database meta
> >suffix "dc=test,dc=myorg,dc=org"
> >
> >uri "ldapi:///o=external,dc=test,dc=myorg,dc=org"
> >
> >acl-authcDN uid=foswiki,ou=system,o=external,dc=test,dc=myorg,dc=org
> >acl-passwd passwd
> >idassert-bind bindmethod=simple
> >     binddn="uid=foswiki,ou=system,o=external,dc=test,dc=myorg,dc=org"
> >     credentials="passwd"
> >     mode=self
> >
> >uri "ldapi:///o=internal,dc=test,dc=myorg,dc=org"
> >
> >acl-authcDN uid=foswiki,ou=system,o=external,dc=test,dc=myorg,dc=org
> >acl-passwd passwd
> >idassert-bind bindmethod=simple
> >     binddn="uid=foswiki,ou=system,o=external,dc=test,dc=myorg,dc=org"
> >     credentials="passwd"
> >     mode=self
> >
> >To prepare for a production deployment I then compiled
> >OpenLDAP 2.4.33 using this set of configure options:
> >
> >./configure --prefix=/opt/openldap-2.4.33 --enable-slapd
> >--enable-cleartext --enable-rewrite --enable-bdb --enable-hdb
> >--enable-ldap --enable-meta --enable-rwm
> >
> >I attempted to use the same configuration for the slapd-meta
> >backend. My queries to slapd no longer returned anything and I
> >saw this in the debug ouput:
> >
> >50c15573 conn=1000 op=1 meta_search_dobind_init[0] mc=0x22c2da0: non-empty dn with empty cred; binding anonymously
> >50c15573 conn=1000 op=1 meta_search_dobind_init[1] mc=0x22c2da0: non-empty dn with empty cred; binding anonymously
> >
> >I interpret this to mean that the slapd-meta backend is
> >deciding it does not have a credential to use and is binding
> >anonymously to the proxied services.
> >
> >How should I change my configuration above so that the most
> >recent version of OpenLDAP will be able to bind to the proxied
> >services in the way that happened with version 2.4.23?
> >
> >Note that I installed versions between 2.4.23 and 2.4.33
> >(bisection) and found that the change from 2.4.25 to 2.4.26
> >causes the configuration above to go from "working" to "not
> >working". Versions 2.4.26 and above that I tested result in
> >the "non-empty dn with empty cred" in the debug output.
> 
> The only relevant change to back-meta from 2.4.25 to .26 is for
> ITS#6909. Perhaps you can retest your config with that patch
> reverted and see how it goes.
> 

I read ITS#6909 but I do not see the actual patch that was
applied. A patch was provided by the initial reporter but it
looks like a different solution was implemented.

So I compared the file server/slapd/back-meta/search.c from
versions 2.4.25 and 2.4.33 and edited 2.4.33 so that now the
only difference between it and the 2.4.25 version is

604,606c605,606
<       rc = ldap_back_map_attrs( &mt->mt_rwmap.rwm_at,
<                       op->ors_attrs, BACKLDAP_MAP,
&mapped_attrs,
<                       op->o_tmpmemctx );
---
>       rc = ldap_back_map_attrs( op, &mt->mt_rwmap.rwm_at,
>                       op->ors_attrs, BACKLDAP_MAP,
>                       &mapped_attrs );

I cannot easily revert that change since it looks like the definition
of the function ldap_back_map_attrs() changed.

I recompiled 2.4.33 with this edited version of search.c and
tested but unfortunately I still see the "non-empty dn with
empty cred" message in the debug ouput and it appears that the
meta backend is still attempting to bind anonymously.

Scott