ngarratt@gmail.com wrote:
I'm testing OpenLDAP 2.4.14 on Centos 5.2, used as a reverse proxy to AD. When slapd is run with debugging disabled (or set to 0), search requests throw the following error:
DSID-0C090627: In order to perform this operation a successful bind must be completed on the connection.
When run with any other debug value, it returns the results correctly. In both cases, the logs show a successful bind with the acl-bind user, the search finds the correct result, and acl's show access granted to read. The only difference is what is returned.
If I hammer the requests through, I do occasionally get the correct answer when using -d 0, and I also occasionally get the error with -d 1.
http://www.nu.co.za/slapd/slapd.conf http://www.nu.co.za/slapd/d0-ldapsearch.txt http://www.nu.co.za/slapd/d0-slapdlog.txt http://www.nu.co.za/slapd/d1-ldapsearch.txt http://www.nu.co.za/slapd/d1-slapdlog.txt
The d0 files are from slapd started with -d 0 (failing) The d1 files are from slapd started with -d 1 (working)
The problem seems to be not so repeatable. First of all, the right response is the error, since it fails while chasing referrals, and you didn't instruct it to chase referrals with authentication.
Moreover, I've set up a system that mimics your setup, and the host containing the referred object is always returning the error, but the proxy is presenting it only occasionally. So the proxy's behavior looks erratic, and this is a bug, but your configuration looks broken.
I'll look at the bug; in the meanwhile, you may want to fix your configuration by adding
chase-referrals no
overlay chain chain-uri <the referred URI with no DN> chain-idassert-bind <info to allow proxyauthz of users> # ...
See slapo-chain for details. Another option is to use
chase-referrals no rebind-as-user yes
but I suspect it's broken and, in any case, it does not allow you to control what hosts are actually given the user's credentials, or to proxyauthz as.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------