Full_Name: Quanah Gibson-Mount
Submission from: (NULL) (18.104.22.168)
When slapo-pcache is set up to use the user credentials for binding, the first
bind will succeed accordingly, but subsequent binds will fall back to anonymous,
as slapd logs that the credentials are not found:
58645256 conn=1024 op=1 ldap_back_dobind_int: DN="cn=james a jones 1,ou=alumni
association,ou=people,dc=example,dc=com" without creds, binding
This is trivial to reproduce by making a slight modification to
index f4e5cb7..105b911 100755
@@ -645,6 +645,22 @@ if test $RC != 4 ; then
test $KILLSERVERS != no && kill -HUP $KILLPIDS && wait
+CNT=`expr $CNT + 1`
+ATTRS="cn mail telephonenumber"
+echo "Query $CNT: (Result should not be cached)"
+echo "# Query $CNT: (Result should not be cached)" >> $SEARCHOUT
+$LDAPSEARCH -S "" -b "$BASEDN" -h $LOCALHOST -p $PORT2 \
+ -D "$USERDN" -w "$UPASSWD" "$FILTER" $ATTRS
>> $SEARCHOUT 2>> $TESTOUT
+if test $RC != 0 ; then
+ echo "ldapsearch failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
The error test case isn't useful here, but slapd.2.log can be examined to see
It appears that there's a problem with this block of code in back-ldap/bind.c,
that starts at line 2489 in RE24:
This title is misleading. slapo-pcache doesn't forget anything. The point is
that when slapo-pcache is configured to cache Binds, if a Bind is answerable
from the cache then pcache answers it and the underlying backend doesn't ever
see the Bind request.
slapo-pcache is working as designed.
back-ldap is also working as designed, in test020. In particular, it cannot do
an authenticated connection to the remote backend unless you configure
proxyAuthz or rebind-as-user and neither of those are set in the test020
config. Without either of these possibilities for providing
authentication/authorization, it of course must connect anonymously to the remote.
Also rebind-as-user won't work here since back-ldap only caches those
credentials for the duration of one session. So, the only method that will
work is to use proxyAuthz.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/