Hi everyone,
I'm setting up an openldap server that proxies _and_ caches everything from other servers (OpenLDAP and AD, that's what the meta database is for).
As for now proxying and caching data works fine but I'm unable to get credentials cached. How is pcacheBind supposed to work?
This is my setup so far:
--%snip%-- # slapd.conf include /some/schemas/..
sizelimit unlimited
moduleload back_bdb moduleload back_ldap moduleload back_meta moduleload pcache
database ldap suffix "dc=xyz,dc=de" rootdn "cn=sys,dc=xyz,dc=de"
uri "ldap://10.0.0.1" # the ldap server I'm talking to chase-referrals yes rebind-as-user yes
overlay pcache pcache bdb 999999 2 999 300 directory /var/lib/ldap-cache cachesize 1024 index objectClass eq,pres index uidNumber,gidNumber eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uid,memberUid eq,pres,sub index uniqueMember eq,pres
pcacheMaxQueries 999999 pcacheOffline false pcachePersist true
pcacheAttrset 0 cn uid objectclass userpassword sn mail memberof displayname pcacheTemplate (cn=) 0 3600
pcacheAttrset 1 cn uid pcacheTemplate (cn=) 1 3600 pcacheBind (cn=) 1 3600 sub dc=xyz,dc=de
database meta suffix "dc=de"
uri "ldap://localhost/dc=xyz,dc=de" idassert-bind bindmethod=simple binddn="cn=sys,dc=xyz,dc=de" credentials="somecredentials"
chase-referrals yes rebind-as-user yes --%snip%--
Now I'm running some queries using ldapsearch and watching the traffic via tcpdump.
As far as I can tell the requested attributes are cached, the remote ldap server is only asked once about the requested data. But even when the data is already cached the openldap server still tries to bind to the remote server. Which is unfortunate since I'm trying to catch network outages with the caching proxy.
Example:
$ ldapsearch -x -H ldap://localhost -D cn=me,ou=users,dc=xyz,dc=de -W -b dc=xyz,dc=de 'cn=foo' mail
- first attempt tcpdump shows: bind, search of cn uid objectclass userpassword sn mail memberof, and the result
- second attempt, same command tcpdump shows: bind and that's all. The result are delivered from cache.
I tried other filter masks, too, which lead to different results:
--%snip%-- pcacheAttrset 0 * pcacheTemplate (cn=) 0 3600 pcacheBind (cn=) 0 3600 sub dc=xyz,dc=de --%snip%--
In this case the remote server isn't queried anymore after the second attempt of the command above (which is good), but when trying to search for data that hasn't been cached yet, openldap tries to bind anonymously to the remote server (which is bad, because it won't work).
Syslog tells me:
ldap_back_dobind_int: DN="cn=me,ou=users,dc=xyz,dc=de" without creds, binding anonymously
Any clues?
Kind regards,
Philippe