mbackes@symas.com wrote:
A basic back-ldap configuration with the password policy overlay stacked on top results in an assertfail for the second bind. e.g. given a working (possibly empty db) on ldap://localhost:1389/...
include ...../core.schema include ...../ppolicy.schema
modulepath ..... moduleload back_ldap.la moduleload ppolicy.la
database ldap suffix "" uri ldap://localhost:1389/
After performing a successful remote bind, the next bind attempt halts the back-ldap directory with:
slapd: bind.c:905: ldap_back_getconn: Assertion `( li->li_idassert.si_flags & (0x02U) )' failed.
where 0x02U here is LDAP_BACK_AUTH_OVERRIDE.
This happens under both OpenLDAP 2.3 and 2.4.
I've been able to reproduce the issue, and I think it's solved (back-ldap/search.c 1.235 -> 1.236); however I'm afraid I didn't understand all the details of your configuration, so I might have tested something different.
The bug was in ldap_back_entry_get() setting up a connection based on the o_tag field, which is that of the current operation (a bind, in your case). I fixed it by always re-setting the tag to LDAP_REQ_SEARCH, under the assumption that ldap_back_entry_get() doesn't need to know what operation required the entry to be looked up.
Please test and report; in case of further issues, I might need the full slapd.conf of the proxy (unless the above is all, of course...)
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------