The bug is in the fact that (cn=) is an invalid filter, because cn's
syntax is directoryString, which does not allow the empty string. As
such, the filter evaluates to undefined, and this is not properly handled
by back-sql. A fix is in HEAD, please test (you only need to patch
back-sql/search.c and the patch should apply to almost any OpenLDAP 2.4
The "strict" and the "ignore" keywords must be part of a single argument.
In fact, the unique_uri statement only takes one argument, consisting of
the optional "strict" and "ignore" keywords followed by a list of URIs.
In order to be recognized as a single argument, the whole thing needs to
be included in double quotes, like
unique_uri "strict ldap:///dc=example,dc=com?uid?sub?(objectClass=account)"
As far as I recall, this is a known issue, although I could not locate
early postings discussing this issue. What happens is that proxy cache
makes use of the first item in the filter to discriminate between
responses. In your filter template, the first item is the objectClass
equality, which means that any filter with that objectClass value,
regardless of the uid value, is treated as a duplicate of the first one.
If you reverse the order of the equality filters you'll get the expected
behavior. There should be another open ITS for this issue, but I can't
locate it right now.
> Just in case, before it becomes totally incompatible with HEAD code, I
> have a patch I never committed, it's about making pcache admin-friendly if
> it makes any sense.
> It adds:
> - a (persistent) counter that reports, for each query, how many times it
> evaluated to answerable
> - "proxycache-" prefixed statements are passed to the private database.
> This allows to avoid ambiguities when applying general database directives
> in slapd.conf. In fact, it is not clear whether they apply to the proxy
> database or to the cache database.
> If they make sense, I'd like to commit them before slapo-pcache
> enhancement begins.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/