[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Search Base (ITS#490)
Hello.
I was asking on the developer's list about how OpenLDAP should handle
requests that come in that have a NULL searchbase. It was recommendeded to
me to look into the fix that involves LDAP_ALLOW_NULL_SEARCH_BASE in
servers/slapd/backends.c
I did look into it, and that fix doesn't work. do_search() will call
select_backend() and get a default backend pointer in return, but the
normalized search base "nbase" is still a 0 length string. This gets
passed into the back end search function, e.g. ldbm_back_search(), and
will result in a failure.
A NULL or 0 length search base would need to be changed into a valid DN
as soon as it is BERdecoded out of the request. This would be done for
each do_ function that is to accept these bogus requests. I appended some
example for doing this in do_search().
Mind you, I'm still opposed to supporting clients that send these
broken requests, but that's a personal decision. I wanted to point out
here that the NULL_SEARCH_BASE fix was still failing to fix the problem
for me.
-Mark Adamson
Carnegie Mellon
in do_search(), servers/slapd/search.c:
+ #ifdef LDAP_ALLOW_NULL_SEARCH_BASE
+ /* addition for CE machines that send NULL search base */
+ if ( (base == NULL) || (base[0] == '\0') ) {
+ if ( nbackends ) {
+ if ( base ) free( base );
+ base = ch_strdup( backends[0].be_nsuffix[0] );
+ }
+ }
+ #endif
+
nbase = ch_strdup( base );
if( dn_normalize( nbase ) == NULL ) {
send_ldap_result( conn, op, LDAP_INVALID_DN_SYNTAX,
NULL, "invalid DN", NULL, NULL );
rc = -1;
goto return_results;
}