[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6565) DNSSRV referrals: chaining without search base

To: openldap-its@OpenLDAP.org
Subject: (ITS#6565) DNSSRV referrals: chaining without search base
From: jochen@keutel.de
Date: Tue, 1 Jun 2010 14:17:18 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Jochen Keutel
Version: 2.4.22
OS: Solaris 10
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (87.159.200.236)


Hi,
  this is a partly duplicate of ITS 6463: I think it's better to split these 2
items into 2 separate ITS.

This ITS only describes the behaviour of OpenLDAP using referrals generated by
DNSSRV; just ldap (no ldaps) is used.

You stated that not returning DNs in DNSSRV "conforms to RFC4511". This seems to
be OK. Nevertheless these returned URLs are used in the chaining code.

This means that the chained search always searches with base "" (root). I don't
think that this the right behavior.

I debugged the code several hours but couldn't find a solution. What I could
see:
- dnssrv_back_referrals just puts server names into the referral structure
("ref")
- the functions called afterwards - esp. ldap_chain_op - parse this structure
"ref" for server names AND DNs (search bases)

I'm sorry, my knowledge of the OpenLDAP code is not deep enough to propose a
solution. But I think that this should be fixed: Chained Searches with "" as
search base in a distributed environment can't really work: problems like
- some servers don't support this kind of search
- loop detection
- access control
are there.

Regards,  Jochen.

Next by Date: Re: (ITS#6565) DNSSRV referrals: chaining without search base
Index(es):
- Chronological
- Thread