Re: (ITS#5472) ldap_get_values() should handle paged results from LDAP/AD

[masarati@aero.polimi.it]

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I'd like to reopen the discussion on this issue. We're hitting this same
> problem with the SSSD when dealing with ActiveDirectory. It really
> doesn't make sense to me that every consumer of the OpenLDAP libraries
> should be required to reimplement this (admittedly incorrect) extension
> to ActiveDirectory.
>
> As Petter suggested in his comment from April 21, 2008, ActiveDirectory
> provides a server control to identify that the feature is in play.
>
> I feel that it would be beneficial to OpenLDAP's library consumers if
> they handled range lookups automatically and internally, similar to the
> way that referrals are chased.
>
> Consumers of the OpenLDAP API should be able to reliably assume that if
> they ask for the set of values for an attribute of a completed request,
> that they will get back all of the values.
>
> Please reconsider adding this support into OpenLDAP.

The complexity of handling this nonsense in libldap seems not worth the
effort; I think we might consider working this around in proxy backends
(much like we did for unsolicited paged results response in back-meta,
ITS#6664, which could be added to back-ldap as well).

I don't think implementing something that requires a theoretically
unbounded number of nested search requests for each attribute value that
contains a range in each SearchResultEntry message makes sense.

The parallel with referrals is not appropriate, since referrals are part
of LDAP specification; also, please note that automatic referral chasing
is strongly discouraged unless the transport layer is protected (Section 6
of RFC 4511).

p.