[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5751) undefined value in slapo-constraint with bad filter
michael@stroeder.com wrote:
> hyc@symas.com wrote:
>> h.b.furuseth@usit.uio.no wrote:
>>> Full_Name: Hallvard B Furuseth
>>> Version: HEAD, RE24
>>> OS:
>>> URL:
>>> Submission from: (NULL) (129.240.6.233)
>>> Submitted by: hallvard
>>>
>>>
>>> overlays/constraint.c:constraint_violation() uses and maybe returns an
>>> undefined value in 'rc' if the filter is bad (nop.ors_filter == NULL).
>>>
>>> I have no idea what rc should be in this case.
>>>
>>> Introduced in constraint.c 1.18 (OpenLDAP 2.4.12).
>> Probably should just set rc=LDAP_SUCCESS in this case. The constraint is
>> invalid, so it cannot be violated.
>
> Hmm, I'd prefer a strong indication that the constraint is invalid.
>
> If it can be proven that the filter is bad slapo-constraint should
> probably stop during startup with an appropriate message. Otherwise
> returning constraintViolation would be appropriate either since the LDAP
> client fails then and it makes admins search for the cause of it.
I concur. I've made slapo-constraint(5) return LDAP_OTHER, so it's
clear that there's something wrong. Returning LDAP_CONSTRAINT_VIOLATION
would have erroneously indicated that the value was not allowed but
everything was working fine. Please test.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando@sys-net.it
-----------------------------------