Hello, thank you for reading this post!

Is it possible to configure openldap to cache the search operation necessary to perform mapped bind rewrites? The slapo-pcache man page has given me hope but I’m stuck making it happen.

I’m able to map and rewrite a bind, cache binds, and cache search results. But I'm stuck trying to cache the search operation that openldap completes for looking up a mapped attribute. For example I can bind with a string like:

mail=pfoo@somedomain.com,ou=Students,dc=domain,dc=com

slapd.conf maps that through overlay rwm like:

rwm-rewriteMap ldap source2dn "ldap:///ou=Students,dc=TEST_HOST,dc=TEST_COM?dn?sub"

rwm-rewriteContext bindDN

rwm-rewriteRule "(.+,)?dc=TEST_HOST,dc=TEST_COM" "$1dc=TEST_HOST,dc=TEST_COM" ":"

to an actual DN of:

cn=Foo\, Peter (pfoo),ou=Students,dc=domain,dc=com

and some pcache definitions will cache binds and certain searches - this works great.

In reviewing the openldap log and network packets to confirm caching, I noticed search requests to attr=1.1. So I tried to define a pcachetemplate for those requests like this:

pcacheAttrset  0 1.1

pcacheTemplate (mail=) 0 1800

When I search for attribute 1.1 and bind using a dn that doesn’t need to be rewritten, I get search results and they are cached. However, when I search for 1.1 and bind using a dn that needs to be rewritten, the server complains of a segmentation fault.

conn=1000 fd=12 ACCEPT from IP=127.0.0.1:54533 (IP=0.0.0.0:389)

conn=1000 op=0 BIND dn="mail=pfoo@somedomain.com,ou=Students,dc=TEST_HOST,dc=TEST_COM" method=128

conn=1001 fd=14 ACCEPT from IP=127.0.0.1:54534 (IP=0.0.0.0:389)

conn=1001 op=0 SRCH base="ou=Students,dc=TEST_HOST,dc=TEST_COM" scope=2 deref=0 filter="(mail=pfoo@somedomain.com)"

conn=1001 op=0 SRCH attr=1.1

query template of incoming query = (mail=)

Entering QC, querystr = (mail=pfoo@somedomain.com)

Lock QC index = 0xa2d8798

Not answerable: Unlock QC index=0xa2d8798

QUERY NOT ANSWERABLE

QUERY CACHEABLE

Segmentation fault

And with loglevel -1:

** ld 0xb3a08480 Outstanding Requests:

* msgid 1,  origid 1, status InProgress

   outstanding referrals 0, parent count 0

  ld 0xb3a08480 request count 1 (abandoned 0)

** ld 0xb3a08480 Response Queue:

* msgid 1,  type 100

  ld 0xb3a08480 response count 1

ldap_chkResponseList ld 0xb3a08480 msgid 1 all 1

ldap_chkResponseList returns ld 0xb3a08480 NULL

ldap_int_select

Segmentation fault

Is there a setting to have openldap cache internal operations like that or is there a way to cache that special attr=1.1 search operation? Any suggestions would be greatly appreciated.

Many thanks!

Dave

# from slapd.conf

# 2.4.26 (--enable-overlays --enable-bdb --enable-ldap --enable-meta --with-tls=openssl)

include                 /opt/openldap/proxy/etc/openldap/schema/core.schema

include                 /opt/openldap/proxy/etc/openldap/schema/cosine.schema

include                 /opt/openldap/proxy/etc/openldap/schema/inetorgperson.schema

include                 /opt/openldap/proxy/etc/openldap/schema/myorg.schema

pidfile                   /opt/openldap/proxy/var/run/slapd.pid

argsfile /opt/openldap/proxy/var/run/slapd.args

loglevel -1

database             ldap

lastmod                off

suffix                     "dc=TEST_HOST,dc=TEST_COM"

rootdn                  "cn=admin,dc=TEST_HOST,dc=TEST_COM"

rootpw                                 config

uri             "ldap://10.100.142.132"

idassert-bind bindmethod=simple

                      mode=self

                      binddn="cn=testadmin,cn=Users,dc=TEST_HOST,dc=TEST_COM"

                      credentials="secret"

idassert-authzFrom      "dn.regex:.*"

# cache of ldap is in bdb format

overlay pcache

pcache  bdb 100000 2 50 900

pcacheAttrset  0 *

pcacheTemplate (&(sn=)(givenname=)) 0 1800

pcacheBind (&(sn=)(givenname=)) 0 1800 sub "ou=Students,dc=TEST_HOST,dc=TEST_COM"

# with this definition, the server will segmentation fault after search/bind requests where the bind needs to be rewritten

#pcacheAttrset 1 1.1

#pcacheTemplate (mail=) 1 1800

cachesize                             100000

pcachePosition                                 tail

directory              /var/lib/ldap

index                     sn,givenname                   pres,eq,sub

index                     cn                                           pres,eq,sub

index                     mail                                        eq

index                     objectclass                          eq

# ***************************************************************

# start of rewrite stuff

overlay                 rwm

rwm-rewriteEngine on

rwm-map attribute studentID employeeID

## source DN map

rwm-rewriteMap ldap source2dn "ldap:///ou=Students,dc=TEST_HOST,dc=TEST_COM?dn?sub"

rwm-rewriteContext default

rwm-rewriteRule "(.+,)?dc=TEST_HOST,dc=TEST_COM" "$1dc=TEST_HOST,dc=TEST_COM" ":"

rwm-rewriteContext bindDN

rwm-rewriteRule "^mail=([^,]*),ou=Students,dc=TEST_HOST,dc=TEST_COM" "${source2dn(mail=$1)}" ":"