Hello, thank you for reading this post!
Is it possible to configure openldap to cache the search operation necessary to perform mapped bind rewrites? The slapo-pcache man page has given me hope but I’m stuck making it happen.
I’m able to map and rewrite a bind, cache binds, and cache search results. But I'm stuck trying to cache the search operation that openldap completes for looking up a mapped attribute. For example I can bind with a string like:
mail=pfoo@somedomain.com,ou=Students,dc=domain,dc=com
slapd.conf maps that through overlay rwm like:
rwm-rewriteMap ldap source2dn "ldap:///ou=Students,dc=TEST_HOST,dc=TEST_COM?dn?sub"
rwm-rewriteContext bindDN
rwm-rewriteRule "(.+,)?dc=TEST_HOST,dc=TEST_COM" "$1dc=TEST_HOST,dc=TEST_COM" ":"
to an actual DN of:
cn=Foo\, Peter (pfoo),ou=Students,dc=domain,dc=com
and some pcache definitions will cache binds and certain searches - this works great.
In reviewing the openldap log and network packets to confirm caching, I noticed search requests to attr=1.1. So I tried to define a pcachetemplate for those requests like this:
pcacheAttrset 0 1.1
pcacheTemplate (mail=) 0 1800
When I search for attribute 1.1 and bind using a dn that doesn’t need to be rewritten, I get search results and they are cached. However, when I search for 1.1 and bind using a dn that needs to be rewritten, the server complains of a segmentation fault.
conn=1000 fd=12 ACCEPT from IP=127.0.0.1:54533 (IP=0.0.0.0:389)
conn=1000 op=0 BIND dn="mail=pfoo@somedomain.com,ou=Students,dc=TEST_HOST,dc=TEST_COM" method=128
conn=1001 fd=14 ACCEPT from IP=127.0.0.1:54534 (IP=0.0.0.0:389)
conn=1001 op=0 SRCH base="ou=Students,dc=TEST_HOST,dc=TEST_COM" scope=2 deref=0 filter="(mail=pfoo@somedomain.com)"
conn=1001 op=0 SRCH attr=1.1
query template of incoming query = (mail=)
Entering QC, querystr = (mail=pfoo@somedomain.com)
Lock QC index = 0xa2d8798
Not answerable: Unlock QC index=0xa2d8798
QUERY NOT ANSWERABLE
QUERY CACHEABLE
Segmentation fault
And with loglevel -1:
** ld 0xb3a08480 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0xb3a08480 request count 1 (abandoned 0)
** ld 0xb3a08480 Response Queue:
* msgid 1, type 100
ld 0xb3a08480 response count 1
ldap_chkResponseList ld 0xb3a08480 msgid 1 all 1
ldap_chkResponseList returns ld 0xb3a08480 NULL
ldap_int_select
Segmentation fault
Is there a setting to have openldap cache internal operations like that or is there a way to cache that special attr=1.1 search operation? Any suggestions would be greatly appreciated.
Many thanks!
Dave
# from slapd.conf
# 2.4.26 (--enable-overlays --enable-bdb --enable-ldap --enable-meta --with-tls=openssl)
include /opt/openldap/proxy/etc/openldap/schema/core.schema
include /opt/openldap/proxy/etc/openldap/schema/cosine.schema
include /opt/openldap/proxy/etc/openldap/schema/inetorgperson.schema
include /opt/openldap/proxy/etc/openldap/schema/myorg.schema
pidfile /opt/openldap/proxy/var/run/slapd.pid
argsfile /opt/openldap/proxy/var/run/slapd.args
loglevel -1
database ldap
lastmod off
suffix "dc=TEST_HOST,dc=TEST_COM"
rootdn "cn=admin,dc=TEST_HOST,dc=TEST_COM"
rootpw config
uri "ldap://10.100.142.132"
idassert-bind bindmethod=simple
mode=self
binddn="cn=testadmin,cn=Users,dc=TEST_HOST,dc=TEST_COM"
credentials="secret"
idassert-authzFrom "dn.regex:.*"
# cache of ldap is in bdb format
overlay pcache
pcache bdb 100000 2 50 900
pcacheAttrset 0 *
pcacheTemplate (&(sn=)(givenname=)) 0 1800
pcacheBind (&(sn=)(givenname=)) 0 1800 sub "ou=Students,dc=TEST_HOST,dc=TEST_COM"
# with this definition, the server will segmentation fault after search/bind requests where the bind needs to be rewritten
#pcacheAttrset 1 1.1
#pcacheTemplate (mail=) 1 1800
cachesize 100000
pcachePosition tail
directory /var/lib/ldap
index sn,givenname pres,eq,sub
index cn pres,eq,sub
index mail eq
index objectclass eq
# ***************************************************************
# start of rewrite stuff
overlay rwm
rwm-rewriteEngine on
rwm-map attribute studentID employeeID
## source DN map
rwm-rewriteMap ldap source2dn "ldap:///ou=Students,dc=TEST_HOST,dc=TEST_COM?dn?sub"
rwm-rewriteContext default
rwm-rewriteRule "(.+,)?dc=TEST_HOST,dc=TEST_COM" "$1dc=TEST_HOST,dc=TEST_COM" ":"
rwm-rewriteContext bindDN
rwm-rewriteRule "^mail=([^,]*),ou=Students,dc=TEST_HOST,dc=TEST_COM" "${source2dn(mail=$1)}" ":"