Full_Name: Dirk Kastens Version: 2.4.40 OS: RedHat SL 7.0 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:638:508:3d0:8d09:a681:a06e:29f0)
This is a duplicate of bug #7993 that has been closed.
Meanwhile I compiled openldap myself.
At first, I compiled openldap-2.4.40. I configured ldap as a replica server. It connects with saslmech EXTERNAL to the master server. When I configure idassert-bind with saslmech EXTERNAL and try to change an entry, ldapmodify fails with
ldap_modify: Other (e.g., implementation specific) error (80)
slapd logs the message: --------------------------- send_ldap_result: referral="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de" >>> dnPrettyNormal: <uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de> <<< dnPrettyNormal: <uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>, <uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de> conn=1000 op=1 ldap_chain_op: ref="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de" -> "ldap://ldap-master.rz.uni-osnabrueck.de" conn=1000 op=1 ldap_chain_op: ref="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de": URI="ldap://ldap-master.rz.uni-osnabrueck.de" found in cache =>ldap_back_getconn: conn=1000 op=1: lc=0x7faca820bc70 inserted refcnt=1 rc=0 Error: ldap_back_is_proxy_authz returned 0, misconfigured URI? send_ldap_result: conn=1000 op=1 p=3 send_ldap_result: err=80 matched="" text="misconfigured URI?" send_ldap_result: conn=1000 op=1 p=3 send_ldap_result: err=80 matched="" text="" send_ldap_response: msgid=2 tag=103 err=80 ---------------------------
Then I compiled openldap-2.4.26 and used the same configuration. The modify with saslmech EXTERNAL succeeded:
--------------------------- send_ldap_result: conn=1001 op=1 p=3 send_ldap_result: err=10 matched="" text="" send_ldap_result: referral="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de" >>> dnPrettyNormal: <uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de> <<< dnPrettyNormal: <uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de>, <uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de> conn=1001 op=1 ldap_chain_op: ref="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de" -> "ldap://ldap-master.rz.uni-osnabrueck.de" conn=1001 op=1 ldap_chain_op: ref="ldap://ldap-master.rz.uni-osnabrueck.de/uid=xmuster,ou=people,dc=uni-osnabrueck,dc=de": URI="ldap://ldap-master.rz.uni-osnabrueck.de" found in cache =>ldap_back_getconn: conn=1001 op=1: lc=0x7f4f201fe6f0 inserted refcnt=1 rc=0 send_ldap_result: conn=1001 op=1 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=2 tag=103 err=0 ---------------------------
With a quick look I found out, that the function ldap_back_dobind_int in server/slapd/back-ldap/bind.c differs. In 2.4.26 you have:
--------------------------- if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) { if ( BER_BVISEMPTY( &binddn ) && BER_BVISEMPTY( &bindcred ) ) { /* if we got here, it shouldn't return result */ rc = ldap_back_is_proxy_authz( op, rs, LDAP_BACK_DONTSEND, &binddn, &bindcred );A A assert( rc == 1 ); } rc = ldap_back_proxy_authz_bind( lc, op, rs, sendok, &binddn, &bindcred ); goto done; } ---------------------------
while in 2.4.40 there is:
--------------------------- if ( LDAP_BACK_CONN_ISIDASSERT( lc ) ) { if ( BER_BVISEMPTY( &binddn ) && BER_BVISEMPTY( &bindcred ) ) { /* if we got here, it shouldn't return result */ rc = ldap_back_is_proxy_authz( op, rs, LDAP_BACK_DONTSEND, &binddn,2&bindcred ); if ( rc != 1 ) { Debug( LDAP_DEBUG_ANY, "Error: ldap_back_is_proxy_authz " "returned %d, misconfigured URI?\n", rc, 0, 0 ); rs->sr_err = LDAP_OTHER; rs->sr_text = "misconfigured URI?"; LP_P_BACK_CONN_ISBOUND_CLEAR( lc ); if ( sendok & LDAP_BACK_SENDERR ) { send_ldap_result( op, rs ); } goto done; } rc = ldap_back_proxy_authz_bind( lc, op, rs, sendok, &binddn, &bindcred ); goto done; } --------------------------
This is where the error message comes from ("misconfigured URI?")