I'm testing OpenLDAP 2.4.14 on Centos 5.2, used as a reverse
proxy to AD. When
slapd is run with debugging disabled (or set to 0), search requests throw the
DSID-0C090627: In order to perform this operation a successful bind must be
completed on the connection.
When run with any other debug value, it returns the results correctly. In both
cases, the logs show a successful bind with the acl-bind user, the search finds
the correct result, and acl's show access granted to read. The only difference
is what is returned.
If I hammer the requests through, I do occasionally get the correct answer when
using -d 0, and I also occasionally get the error with -d 1.
The d0 files are from slapd started with -d 0 (failing)
The d1 files are from slapd started with -d 1 (working)
The problem seems to be not so repeatable. First of all, the right
response is the error, since it fails while chasing referrals, and you
didn't instruct it to chase referrals with authentication.
Moreover, I've set up a system that mimics your setup, and the host
containing the referred object is always returning the error, but the
proxy is presenting it only occasionally. So the proxy's behavior looks
erratic, and this is a bug, but your configuration looks broken.
I'll look at the bug; in the meanwhile, you may want to fix your
configuration by adding
chain-uri <the referred URI with no DN>
chain-idassert-bind <info to allow proxyauthz of users>
See slapo-chain for details. Another option is to use
but I suspect it's broken and, in any case, it does not allow you to
control what hosts are actually given the user's credentials, or to
Ing. Pierangelo Masarati
OpenLDAP Core Team
via Dossi, 8 - 27100 Pavia - ITALIA
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497