Viewing Incoming/5862
Full headers

Major security issue: yes  no

Notes:

Notification:

Date: Tue, 16 Dec 2008 13:27:06 GMT
From: h.b.furuseth@usit.uio.no
To: openldap-its@OpenLDAP.org
Subject: Assert control ignored on non-database entries

Full_Name: Hallvard B Furuseth
Version: HEAD
OS: Linux
URL: 
Submission from: (NULL) (129.240.6.233)
Submitted by: hallvard


slapd does not apply the Assert control to non-database entries
(at least the root and subschema entries), yet does not reject
a critical control either.

I have not explored the magnitutde of the problem: Where the
control can get ignored, and which other controls are ignored.

$ ldapsearch -LLLx -e\!assert='(objectClass=person)' -b "" -s base
dn:
objectClass: top
objectClass: OpenLDAProotDSE

$ ldapsearch -LLLx -e\!assert='(objectClass=person)' -b cn=subschema -s base
dn: cn=Subschema
objectClass: top
objectClass: subentry
objectClass: subschema
objectClass: extensibleObject
cn: Subschema


-b "" -s sub does apply the control with database bdb + suffix "".
Don't know about back-sql.
However I imagine it varies how careful backends "" are about generating
the root DSE when suffix == "" so controls can be applied to it.  Might
need a backend flag which says whether the backend does this, and reject
the critical controls with unwillingToPerform if this flag is not set.