Scott Koranda wrote:
Hello,
As part of an evaluation and testing phase, on a Debian Squeeze system using version 2.4.23 of OpenLDAP I successfully configured and used the slapd-meta backend. The configuration looked like this:
database meta suffix "dc=test,dc=myorg,dc=org"
uri "ldapi:///o=external,dc=test,dc=myorg,dc=org"
acl-authcDN uid=foswiki,ou=system,o=external,dc=test,dc=myorg,dc=org acl-passwd passwd idassert-bind bindmethod=simple binddn="uid=foswiki,ou=system,o=external,dc=test,dc=myorg,dc=org" credentials="passwd" mode=self
uri "ldapi:///o=internal,dc=test,dc=myorg,dc=org"
acl-authcDN uid=foswiki,ou=system,o=external,dc=test,dc=myorg,dc=org acl-passwd passwd idassert-bind bindmethod=simple binddn="uid=foswiki,ou=system,o=external,dc=test,dc=myorg,dc=org" credentials="passwd" mode=self
To prepare for a production deployment I then compiled OpenLDAP 2.4.33 using this set of configure options:
./configure --prefix=/opt/openldap-2.4.33 --enable-slapd --enable-cleartext --enable-rewrite --enable-bdb --enable-hdb --enable-ldap --enable-meta --enable-rwm
I attempted to use the same configuration for the slapd-meta backend. My queries to slapd no longer returned anything and I saw this in the debug ouput:
50c15573 conn=1000 op=1 meta_search_dobind_init[0] mc=0x22c2da0: non-empty dn with empty cred; binding anonymously 50c15573 conn=1000 op=1 meta_search_dobind_init[1] mc=0x22c2da0: non-empty dn with empty cred; binding anonymously
I interpret this to mean that the slapd-meta backend is deciding it does not have a credential to use and is binding anonymously to the proxied services.
How should I change my configuration above so that the most recent version of OpenLDAP will be able to bind to the proxied services in the way that happened with version 2.4.23?
Note that I installed versions between 2.4.23 and 2.4.33 (bisection) and found that the change from 2.4.25 to 2.4.26 causes the configuration above to go from "working" to "not working". Versions 2.4.26 and above that I tested result in the "non-empty dn with empty cred" in the debug output.
The only relevant change to back-meta from 2.4.25 to .26 is for ITS#6909. Perhaps you can retest your config with that patch reverted and see how it goes.