quanah@openldap.org wrote:
Full_Name: Quanah Gibson-Mount Version: 2.4.44 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.26)
When slapo-pcache is set up to use the user credentials for binding, the first bind will succeed accordingly, but subsequent binds will fall back to anonymous, as slapd logs that the credentials are not found:
58645256 conn=1024 op=1 ldap_back_dobind_int: DN="cn=james a jones 1,ou=alumni association,ou=people,dc=example,dc=com" without creds, binding anonymouslyldap_sasl_bind
This is trivial to reproduce by making a slight modification to test020-proxycache:
index f4e5cb7..105b911 100755 --- a/tests/scripts/test020-proxycache +++ b/tests/scripts/test020-proxycache @@ -645,6 +645,22 @@ if test $RC != 4 ; then test $KILLSERVERS != no && kill -HUP $KILLPIDS && wait exit 1 fi
+CNT=`expr $CNT + 1` +FILTER="(sn=Jon)" +ATTRS="cn mail telephonenumber" +echo "Query $CNT: (Result should not be cached)" +echo "# Query $CNT: (Result should not be cached)" >> $SEARCHOUT +$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT2 \
-D "$USERDN" -w "$UPASSWD" "$FILTER" $ATTRS >> $SEARCHOUT 2>> $TESTOUT+RC=$?
+if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"test $KILLSERVERS != no && kill -HUP $KILLPIDSexit $RC+fi
The error test case isn't useful here, but slapd.2.log can be examined to see the behavior.
It appears that there's a problem with this block of code in back-ldap/bind.c, that starts at line 2489 in RE24:
This title is misleading. slapo-pcache doesn't forget anything. The point is that when slapo-pcache is configured to cache Binds, if a Bind is answerable from the cache then pcache answers it and the underlying backend doesn't ever see the Bind request.
slapo-pcache is working as designed.
back-ldap is also working as designed, in test020. In particular, it cannot do an authenticated connection to the remote backend unless you configure proxyAuthz or rebind-as-user and neither of those are set in the test020 config. Without either of these possibilities for providing authentication/authorization, it of course must connect anonymously to the remote.
Also rebind-as-user won't work here since back-ldap only caches those credentials for the duration of one session. So, the only method that will work is to use proxyAuthz.