[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6565) DNSSRV referrals: chaining without search base

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6565) DNSSRV referrals: chaining without search base
From: masarati@aero.polimi.it
Date: Tue, 1 Jun 2010 18:14:36 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

> Hi,
>   this is a partly duplicate of ITS 6463: I think it's better to split
> these 2
> items into 2 separate ITS.
>
> This ITS only describes the behaviour of OpenLDAP using referrals
> generated by
> DNSSRV; just ldap (no ldaps) is used.
>
> You stated that not returning DNs in DNSSRV "conforms to RFC4511". This
> seems to
> be OK. Nevertheless these returned URLs are used in the chaining code.
>
> This means that the chained search always searches with base "" (root). I
> don't
> think that this the right behavior.
>
> I debugged the code several hours but couldn't find a solution. What I
> could
> see:
> - dnssrv_back_referrals just puts server names into the referral structure
> ("ref")
> - the functions called afterwards - esp. ldap_chain_op - parse this
> structure
> "ref" for server names AND DNs (search bases)
>
> I'm sorry, my knowledge of the OpenLDAP code is not deep enough to propose
> a
> solution. But I think that this should be fixed: Chained Searches with ""
> as
> search base in a distributed environment can't really work: problems like
> - some servers don't support this kind of search
> - loop detection
> - access control
> are there.

Hi.  I don't have time to work at this right now, but I think the solution
would be to modify slapo-chain(5) so that when a referral's DN is "" and
the DN in the original request is not "", to use that DN instead.  The
original request DN can be found in op->o_req_dn.

p.

Prev by Date: (ITS#6565) DNSSRV referrals: chaining without search base
Next by Date: (ITS#6566) rwm, ppolicy, sssvlv, and valsort display warnings on STDERR
Index(es):
- Chronological
- Thread