5823 – clients/tools don't honor ldap.conf defaults

Issue 5823 - clients/tools don't honor ldap.conf defaults

Summary: clients/tools don't honor ldap.conf defaults

Status:	UNCONFIRMED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	client tools (show other issues)
Version:	unspecified
Hardware:	All All

Importance:	--- development
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-11-21 02:38 UTC by Howard Chu
Modified:	2020-03-19 04:49 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description Howard Chu 2008-11-21 02:38:11 UTC

Full_Name: Howard Chu
Version: HEAD/RE24
OS: 
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (76.91.220.157)
Submitted by: hyc


Various options in clients/tools/common.c are set as follows:

        /* referrals */
        if( ldap_set_option( ld, LDAP_OPT_REFERRALS,
                referrals ? LDAP_OPT_ON : LDAP_OPT_OFF ) != LDAP_OPT_SUCCESS )

This means if the commandline option was provided, the option is turned on,
otherwise it is turned off. I.e., the ldap.conf setting is completely overridden
at all times.

All of these options cases should be fixed to only issue the ldap_set_option()
call if the corresponding argument was provided, to allow the default setting to
take effect when the arguments are not provided.

I suggest that we use option==1 for on, and option>1 for off, to minimize the
impact of the change. (E.g., to explicitly turn off referrals, use ldapsearch
-CC.)

Comment 1 Hallvard Furuseth 2008-11-21 03:09:11 UTC

hyc@OpenLDAP.org writes:
> I suggest that we use option==1 for on, and option>1 for off, to
> minimize the impact of the change. (E.g., to explicitly turn off
> referrals, use ldapsearch -CC.)

That conflicts with today's -ZZ, which seems a bad option to
create confusion about.  Also with ldapsearch -L[L[L]].

Another variant is -C = on and +C = off.  Backwards, but it's
not our fault that Unix chose "-" for "on":-)  Unless +foo
means something special on Windows command lines?

-- 
Hallvard

Comment 2 Howard Chu 2008-11-21 03:19:31 UTC

Hallvard B Furuseth wrote:
> hyc@OpenLDAP.org writes:
>> I suggest that we use option==1 for on, and option>1 for off, to
>> minimize the impact of the change. (E.g., to explicitly turn off
>> referrals, use ldapsearch -CC.)
>
> That conflicts with today's -ZZ, which seems a bad option to
> create confusion about.  Also with ldapsearch -L[L[L]].
>
> Another variant is -C = on and +C = off.  Backwards, but it's
> not our fault that Unix chose "-" for "on":-)  Unless +foo
> means something special on Windows command lines?
>
This may not be a big deal after all. The only options affected are -C and -N, 
and -C is essentially useless now. (And is undocumented.) So perhaps this can 
be mostly ignored, and we just need a workable approach for -N and any future 
boolean options.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 3 ando@openldap.org 2008-11-21 06:47:07 UTC

h.b.furuseth@usit.uio.no wrote:
> hyc@OpenLDAP.org writes:
>> I suggest that we use option==1 for on, and option>1 for off, to
>> minimize the impact of the change. (E.g., to explicitly turn off
>> referrals, use ldapsearch -CC.)
> 
> That conflicts with today's -ZZ, which seems a bad option to
> create confusion about.

-ZZ should be deprecated, and -Z should simply and strictly require 
StartTLS.  The concept itself of having StartTLS optional (without 
notice of whether it succeeded or not!) sounds extremely bogus to me. 
In all the clients I develop, I never provide such alternative, either 
on or off.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Comment 4 Hallvard Furuseth 2008-11-21 12:17:12 UTC

Pierangelo Masarati writes:
> -ZZ should be deprecated, and -Z should simply and strictly require 
> StartTLS.

Good point.   Except then people who are used to new clients will
make insecure connections when using old clients.  Maybe -Z should
be an error instead...

What I'd really really like to do is throw away all the options,
rename the programs, and start over.  This time with the same option
names in ldap tools, slap tools, and slapd itself.  Goes with the
someday-in-the-future library rewrite, I suppose.

-- 
Hallvard

Comment 5 ando@openldap.org 2008-11-21 12:26:18 UTC

h.b.furuseth@usit.uio.no wrote:
> Pierangelo Masarati writes:
>> -ZZ should be deprecated, and -Z should simply and strictly require 
>> StartTLS.
> 
> Good point.   Except then people who are used to new clients will
> make insecure connections when using old clients.  Maybe -Z should
> be an error instead...

Mine was a generic criticism, not a suggestion for this specific case.

> What I'd really really like to do is throw away all the options,
> rename the programs, and start over.  This time with the same option
> names in ldap tools, slap tools, and slapd itself.  Goes with the
> someday-in-the-future library rewrite, I suppose.

:)  p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Comment 6 Howard Chu 2008-11-21 17:16:30 UTC

h.b.furuseth@usit.uio.no wrote:
> Pierangelo Masarati writes:
>> -ZZ should be deprecated, and -Z should simply and strictly require
>> StartTLS.
>
> Good point.   Except then people who are used to new clients will
> make insecure connections when using old clients.  Maybe -Z should
> be an error instead...
>
> What I'd really really like to do is throw away all the options,
> rename the programs, and start over.  This time with the same option
> names in ldap tools, slap tools, and slapd itself.  Goes with the
> someday-in-the-future library rewrite, I suppose.

OpenLDAP 3.0...

The question is, when do we stop the 2.x stream and begin 3.0?

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 7 Gavin Henry 2008-11-22 22:48:37 UTC

----- hyc@symas.com wrote:

> h.b.furuseth@usit.uio.no wrote:
> > Pierangelo Masarati writes:
> >> -ZZ should be deprecated, and -Z should simply and strictly
> require
> >> StartTLS.
> >
> > Good point.   Except then people who are used to new clients will
> > make insecure connections when using old clients.  Maybe -Z should
> > be an error instead...
> >
> > What I'd really really like to do is throw away all the options,
> > rename the programs, and start over.  This time with the same
> option
> > names in ldap tools, slap tools, and slapd itself.  Goes with the
> > someday-in-the-future library rewrite, I suppose.
> 
> OpenLDAP 3.0...
> 
> The question is, when do we stop the 2.x stream and begin 3.0?

Cool. I say we rewrite it all in Java, this C stuff is hard to understand ;-)

-- 
Kind Regards,

Gavin Henry.
OpenLDAP Engineering Team.

E ghenry@OpenLDAP.org

Community developed LDAP software.

http://www.openldap.org/project/

Comment 8 Hallvard Furuseth 2008-11-24 11:28:50 UTC

ghenry@OpenLDAP.org writes:
> Cool. I say we rewrite it all in Java, this C stuff is hard to understand ;-)

Perhaps we should take this to -devel now...

-- 
Hallvard

Comment 9 Howard Chu 2009-09-29 05:54:28 UTC

moved from Incoming to Development