[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#7353) Handling request controls that include spurious control values
- To: openldap-its@OpenLDAP.org
- Subject: (ITS#7353) Handling request controls that include spurious control values
- From: mhardin@symas.com
- Date: Wed, 15 Aug 2012 01:43:15 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Matthew Hardin
Version: 2.4.32
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (69.43.206.100)
Some clients, like Oracle SGD, incorrectly implement the password policy request
control by including a zero-length control value with the request control.
OpenLDAP reports "passwordPolicyRequest control value not absent" and fails the
operation with a Protocol Error (2). While this behavior follows the letter of
RFC 4511, the control value in this case is zero-length and therefore harmless.
Failing in this case seems merely punctilious, and has no real benefit. For
reference, OpenLDAP 2.3 allowed a zero-length control value.
While I don't believe it's acceptable for clients to present malformed controls,
I do think it's sufficient, at least in this case, to log a warning and continue
processing the request.
For reference, the BER dump below shows the bind request containing the
incorrectly-formatted password policy request control as well as the various
stages of parsing. The request in this case comes from Oracle SGD 4.62.913.
ber_get_next: tag 0x30 len 89 contents:
ber_dump: buf=101fd8f00 ptr=101fd8f00 end=101fd8f59 len=89
0000: 02 01 01 60 33 02 01 03 04 27 63 6e 3d 70 70 6f ...`3....'cn=ppo
0010: 6c 69 63 79 74 73 74 2c 6f 75 3d 50 6f 6c 69 63 licytst,ou=Polic
0020: 69 65 73 2c 64 63 3d 76 73 6f 2c 64 63 3d 63 6f ies,dc=vso,dc=co
0030: 6d 80 05 61 61 61 61 61 a0 1f 30 1d 04 19 31 2e m..aaaaa..0...1.
0040: 33 2e 36 2e 31 2e 34 2e 31 2e 34 32 2e 32 2e 32 3.6.1.4.1.42.2.2
0050: 37 2e 38 2e 35 2e 31 04 00 7.8.5.1..
502a936b op tag 0x60, time 1344967531
ber_get_next
502a936b conn=1001 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=101fd8f00 ptr=101fd8f03 end=101fd8f59 len=86
0000: 60 33 02 01 03 04 27 63 6e 3d 70 70 6f 6c 69 63 `3....'cn=ppolic
0010: 79 74 73 74 2c 6f 75 3d 50 6f 6c 69 63 69 65 73 ytst,ou=Policies
0020: 2c 64 63 3d 76 73 6f 2c 64 63 3d 63 6f 6d 80 05 ,dc=vso,dc=com..
0030: 61 61 61 61 61 a0 1f 30 1d 04 19 31 2e 33 2e 36 aaaaa..0...1.3.6
0040: 2e 31 2e 34 2e 31 2e 34 32 2e 32 2e 32 37 2e 38 .1.4.1.42.2.27.8
0050: 2e 35 2e 31 04 00 .5.1..
ber_scanf fmt (m}) ber:
ber_dump: buf=101fd8f00 ptr=101fd8f31 end=101fd8f59 len=40
0000: 00 05 61 61 61 61 61 a0 1f 30 1d 04 19 31 2e 33 ..aaaaa..0...1.3
0010: 2e 36 2e 31 2e 34 2e 31 2e 34 32 2e 32 2e 32 37 .6.1.4.1.42.2.27
0020: 2e 38 2e 35 2e 31 04 00 .8.5.1..
502a936b => get_ctrls
ber_scanf fmt ({m) ber:
ber_dump: buf=101fd8f00 ptr=101fd8f3a end=101fd8f59 len=31
0000: 30 1d 04 19 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 0...1.3.6.1.4.1.
0010: 34 32 2e 32 2e 32 37 2e 38 2e 35 2e 31 04 00 42.2.27.8.5.1..
ber_scanf fmt (m) ber:
ber_dump: buf=101fd8f00 ptr=101fd8f57 end=101fd8f59 len=2
0000: 00 00 ..
502a936b => get_ctrls: oid="1.3.6.1.4.1.42.2.27.8.5.1" (noncritical)
502a936b <= get_ctrls: n=1 rc=2 err="passwordPolicyRequest control value not
absent"
502a936b send_ldap_result: conn=1001 op=0 p=3
502a936b send_ldap_response: msgid=1 tag=97 err=2
As an aside, the error text left me scratching my head and reading the source
code to figure out what was meant. Each of the other request control handlers
that doesn't require/allow a control value has a similar message. Could we
change these messages to:
{Warning|Error}: Spurious <control name here> control value found in request.
Comments?