pcache not working with dirx - openldap-technical

12 Apr 2023


      Hello,
I'm playing with the slapo-pcache overlay (openldap-2.6.4). Using the  
folloging configuration:
```
# https://www.openldap.org/doc/admin26/guide.html#The%20Proxy%20Cache%20Engine
database	  ldap
suffix		  dc=dirx,dc=example
rootdn		  dc=dirx,dc=example
uri            ldap://dirx.example/
overlay	  pcache
pcache		  mdb 1000 2 1000 20
pcacheAttrset  0 DKIMSelector
pcacheTemplate (&(DKIMDomain=)(DKIMActive=)(DKIMKeyType=)) 0 10
pcacheAttrset  1 DKIMDomain DKIMSelector DKIMKey
pcacheTemplate (DKIMSelector=) 1 10
directory	  /spool/dc=dirx,dc=example
database	  ldap
suffix		  dc=openldap,dc=example
rootdn		  dc=openldap,dc=example
uri            ldap://openldap.example/
overlay	  pcache
pcache		  mdb 1000 2 1000 20
pcacheAttrset  0 DKIMSelector
pcacheTemplate (&(DKIMDomain=)(DKIMActive=)(DKIMKeyType=)) 0 10
pcacheAttrset  1 DKIMDomain DKIMSelector DKIMKey
pcacheTemplate (DKIMSelector=) 1 10
directory	  /spool/dc=openldap,dc=example
```
One upstream server is DirX, the other openldap-2.6.4. Dirx don't work
Openldap-cache is running with "slapd ... -d Config,Stats,pcache ..."
this are the logs from a failing attempt:
openldap-cache_1           | 643667a0.0584c8aa 0x7fa20ffff700  
conn=1002 op=0 BIND dn="cn=reader,dc=dirx,dc=example" method=128
openldap-cache_1           | 643667a0.05b4d722 0x7fa20ffff700  
conn=1002 op=0 BIND dn="cn=reader,dc=dirx,dc=example" mech=SIMPLE  
bind_ssf=0 ssf=71
openldap-cache_1           | 643667a0.05b5b312 0x7fa20ffff700  
conn=1002 op=0 RESULT tag=97 err=0 qtime=0.000018 etime=0.003246 text=
openldap-cache_1           | 643667a3.1cdab2c4 0x7fa214d35700  
conn=1002 op=1 SRCH base="ou=Domains,dc=dirx,dc=example" scope=2  
deref=0  
filter="(&(DKIMDomain=dirxdomain.de)(DKIMActive=TRUE)(DKIMKeyType=rsa))"
openldap-cache_1           | 643667a3.1cdada18 0x7fa214d35700  
conn=1002 op=1 SRCH attr=DKIMSelector
openldap-cache_1           | 643667a3.1cdb0450 0x7fa214d35700 query  
template of incoming query = (&(DKIMDomain=)(DKIMActive=)(DKIMKeyType=))
openldap-cache_1           | 643667a3.1cdb36bf 0x7fa214d35700 Entering  
QC, querystr =  
(&(DKIMDomain=dirxdomain)(DKIMActive=TRUE)(DKIMKeyType=rsa))
openldap-cache_1           | 643667a3.1cdb4254 0x7fa214d35700 Lock QC  
index = 0x5572682fc520
openldap-cache_1           | 643667a3.1cdb4e08 0x7fa214d35700 Not  
answerable: Unlock QC index=0x5572682fc520
openldap-cache_1           | 643667a3.1cdb5617 0x7fa214d35700 QUERY  
NOT ANSWERABLE
openldap-cache_1           | 643667a3.1cdb5cec 0x7fa214d35700 QUERY CACHEABLE
openldap-cache_1           | 643667a3.1d40534b 0x7fa214d35700  
conn=1002 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000014  
etime=0.006697 nentries=0 text=
and for a query to the openldap backend it works:
openldap-cache_1           | 6436693c.35c382c5 0x7fa20ffff700  
conn=1007 op=0 BIND dn="cn=reader,dc=openldap,dc=example" method=128
openldap-cache_1           | 6436693c.3663bbec 0x7fa20ffff700  
conn=1007 op=0 BIND dn="cn=reader,dc=openldap,dc=example" mech=SIMPLE  
bind_ssf=0 ssf=71
openldap-cache_1           | 6436693c.36643fe0 0x7fa20ffff700  
conn=1007 op=0 RESULT tag=97 err=0 qtime=0.000031 etime=0.010584 text=
openldap-cache_1           | 64366940.08541952 0x7fa214d35700  
conn=1007 op=1 SRCH base="ou=Domains,dc=openldap,dc=example" scope=2  
deref=0  
filter="(&(DKIMDomain=openldapdomain.de)(DKIMActive=TRUE)(DKIMKeyType=ed25519))"
openldap-cache_1           | 64366940.08543f48 0x7fa214d35700  
conn=1007 op=1 SRCH attr=DKIMSelector
openldap-cache_1           | 64366940.0854686a 0x7fa214d35700 query  
template of incoming query = (&(DKIMDomain=)(DKIMActive=)(DKIMKeyType=))
openldap-cache_1           | 64366940.08547707 0x7fa214d35700 Entering  
QC, querystr =  
(&(DKIMDomain=openldapdomain.de)(DKIMActive=TRUE)(DKIMKeyType=ed25519))
openldap-cache_1           | 64366940.08547fde 0x7fa214d35700 Lock QC  
index = 0x5572682fda70
openldap-cache_1           | 64366940.08548a4b 0x7fa214d35700 Not  
answerable: Unlock QC index=0x5572682fda70
openldap-cache_1           | 64366940.0854925c 0x7fa214d35700 QUERY  
NOT ANSWERABLE
openldap-cache_1           | 64366940.085499d1 0x7fa214d35700 QUERY CACHEABLE
openldap-cache_1           | 64366940.0868a233 0x7fa214d35700 Added  
query expires at 1681287498 (POSITIVE)
openldap-cache_1           | 64366940.0868bf3d 0x7fa214d35700 Lock AQ  
index = 0x5572682fda70
openldap-cache_1           | 64366940.0868cc0d 0x7fa214d35700 TEMPLATE  
0x5572682fda70 QUERIES++ 1
openldap-cache_1           | 64366940.0868d3eb 0x7fa214d35700 Base of  
added query = ou=Domains,dc=openldap,dc=example
openldap-cache_1           | 64366940.0868daa0 0x7fa214d35700 Unlock  
AQ index = 0x5572682fda70
openldap-cache_1           | 64366940.0868f2f2 0x7fa214d35700 UUID for  
query being added = 4d0928a8-6d56-103d-8d96-0b2b6342ea75
openldap-cache_1           | 64366940.092158fe 0x7fa214d35700 ENTRY  
ADDED/MERGED, CACHED ENTRIES=1
openldap-cache_1           | 64366940.09219238 0x7fa214d35700 STORED  
QUERIES = 1
openldap-cache_1           | 64366940.0921a8d6 0x7fa214d35700  
conn=1007 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000014  
etime=0.013522 nentries=1 text=
If I run slapd with all Debug Logging enabled ( slapd ... -d -1 ...) I  
see, the DirX backend **do answer** with the expexted date but the log  
is so verbose, so I could not see a problem.
using ldapsearch directly against both backend servers I verified, the  
requested data are accessible.
One glitch I found in the Documentation at  
https://www.openldap.org/doc/admin26/guide.html#The%20Proxy%20Cache%20Engine
Under "12.9.2.4. Example for slapd.conf" the is an Entry "cachesize  
20" mentioned. If I enable this option, slapd fail to start:
openldap-cache_1           | 64366b51.0ec4f7d9 0x7f4f046423c0  
/usr/local/etc/openldap/slapd.conf: line 45 (cachesize 20)
openldap-cache_1           | 64366b51.0ec5f70a 0x7f4f046423c0  
/usr/local/etc/openldap/slapd.conf: line 45: unknown directive  
<cachesize> inside backend database definition.
Is the documentation really correct?
Andreas