Issue 6463 - dnssrv_back_referrals: ldaps not handled, search base gone
Summary: dnssrv_back_referrals: ldaps not handled, search base gone
Status: VERIFIED FIXED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: 2.4.21
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-01-27 01:41 UTC by jochen@keutel.de
Modified: 2017-03-28 00:24 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description jochen@keutel.de 2010-01-27 01:41:54 UTC 
Full_Name: Jochen Keutel
Version: 2.4.21
OS: Solaris 10
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (87.159.206.14)


dnssrv_back_referrals() always returns ldap URLs - even when the original
request was a ldaps query.

Additionally only protocol and hostname are put into the URL - the search base
doesn't appear any more.

Problematic code:

		url.bv_len = STRLENOF( "ldap://" ) + strlen( hosts[i] );
		url.bv_val = ch_malloc( url.bv_len + 1 );

		strcpy( url.bv_val, "ldap://" );
		strcpy( &url.bv_val[STRLENOF( "ldap://" )], hosts[i] );

I'm not sure whether you want me to deliver a complete patch or not ... 

Thanks to my colleague Manuel Gaupp for detecting this problem.

Best regards,  Jochen.
Comment 1 ando@openldap.org 2010-04-17 15:53:02 UTC 
changed notes
changed state Open to Suspended
Comment 2 ando@openldap.org 2010-04-17 22:52:42 UTC 
> Full_Name: Jochen Keutel
> Version: 2.4.21
> OS: Solaris 10
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (87.159.206.14)
>
>
> dnssrv_back_referrals() always returns ldap URLs - even when the original
> request was a ldaps query.

This is a (logical) duplicate of ITS#6462; see related answers.

> Additionally only protocol and hostname are put into the URL - the search
> base
> doesn't appear any more.
>
> Problematic code:
>
> 		url.bv_len = STRLENOF( "ldap://" ) + strlen( hosts[i] );
> 		url.bv_val = ch_malloc( url.bv_len + 1 );
>
> 		strcpy( url.bv_val, "ldap://" );
> 		strcpy( &url.bv_val[STRLENOF( "ldap://" )], hosts[i] );
>
> I'm not sure whether you want me to deliver a complete patch or not ...

This behavior conforms to RFC4511, section 4.1.10:

   - If the <dn> part is present, the client uses this name in its next
     request to progress the operation, and if it is not present the
     client uses the same name as in the original request.

I note that few lines above the same RFC states:

   - It is RECOMMENDED that the <dn> part be present to avoid ambiguity.

However, slapd-dnssrv(5) computes the referral from DNS SRV records,
rather than returning data it knows about.  So returning the <dn> part
here would be incorrect, in my opinion, as the client could legitimately
rely on the fact that the returned DN is appropriate, while it may not.

p.
Comment 3 OpenLDAP project 2017-03-28 00:24:35 UTC 
no ldaps handling: dup of ITS#6462?
no DN: conforms to RFC4511
Comment 4 Quanah Gibson-Mount 2017-03-28 00:24:35 UTC 
changed notes
changed state Suspended to Closed