[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5751) undefined value in slapo-constraint with bad filter

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5751) undefined value in slapo-constraint with bad filter
From: ando@sys-net.it
Date: Sun, 19 Oct 2008 19:23:15 GMT

michael@stroeder.com wrote:
> hyc@symas.com wrote:
>> h.b.furuseth@usit.uio.no wrote:
>>> Full_Name: Hallvard B Furuseth
>>> Version: HEAD, RE24
>>> OS:
>>> URL:
>>> Submission from: (NULL) (129.240.6.233)
>>> Submitted by: hallvard
>>>
>>>
>>> overlays/constraint.c:constraint_violation() uses and maybe returns an
>>> undefined value in 'rc' if the filter is bad (nop.ors_filter == NULL).
>>>
>>> I have no idea what rc should be in this case.
>>>
>>> Introduced in constraint.c 1.18 (OpenLDAP 2.4.12).
>> Probably should just set rc=LDAP_SUCCESS in this case. The constraint is 
>> invalid, so it cannot be violated.
> 
> Hmm, I'd prefer a strong indication that the constraint is invalid.
> 
> If it can be proven that the filter is bad slapo-constraint should
> probably stop during startup with an appropriate message. Otherwise
> returning constraintViolation would be appropriate either since the LDAP
> client fails then and it makes admins search for the cause of it.

I concur.  I've made slapo-constraint(5) return LDAP_OTHER, so it's 
clear that there's something wrong.  Returning LDAP_CONSTRAINT_VIOLATION 
would have erroneously indicated that the value was not allowed but 
everything was working fine.  Please test.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Prev by Date: Re: (ITS#5752) ldapadd/ldapmodify do not follow referrals
Next by Date: Re: (ITS#5734) Serch limits by baseDN
Index(es):
- Chronological
- Thread