Issue 5813 - limits with empty dn mostly do not work
Summary: limits with empty dn mostly do not work
Status: VERIFIED INVALID
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: unspecified
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-11-16 07:43 UTC by Hallvard Furuseth
Modified: 2020-09-22 15:43 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this issue.
Description Hallvard Furuseth 2008-11-16 07:43:09 UTC
Full_Name: Hallvard B Furuseth
Version: HEAD, RE24
OS: 
URL: http://folk.uio.no/hbf/OpenLDAP/limits-empty.txt
Submission from: (NULL) (129.240.6.233)
Submitted by: hallvard


Limits set as
  limits dn.<exact/base/onelevel/subtree/children>="" ...
are never used:
- exact/base: it only matches the empty Bind DN, which in slapd means
  anonymous, for which limits_get() does not test dn.<exact/base>.
- onelevel/subtree/children: limits_get() does not use these for the
  empty Bind DN, and it expects a non-empty Bind DNs to end with ",".

Some cases above work with dn.this.foo instead of dn.foo.
limits dn.regex="" works (equivalent to limits users).
limits dn.group="" may work if the admin stuffs group members
into the root DSE.  (I haven't tested.)

My preferred fixes:

- For dn.this, fix the above since baseDN "" makes sense and dn.this is
  new anyway, so there is no backwards compatibility to worry about. 

- For dn.self, fail parsing of the limit cases above that do not work.

  Otherwise the dn.this change could invoke new functionality in
  existing configurations.  We won't know what the admin meant with DN
  "" - did he mean to include anonymous?  That is not an entry with a
  DN, but is stored in slapd and the Bind request as the empty DN.

  Also limits parsing vs. anonymous connections is dubious today anyway:
  dn.<anything>=* or dn.regex=.* are special-cased to match anonymous,
  while dn="" does not.  Also dn.children=* should not match anonymous
  but does.

  So it seems to me that any cleanup should consist of first removing
  strange cases, and if anyone want them reintroduce them in a later
  branch with correct semantics.

I enclose a suggested fix.  Giving Pierangelo at least time to repond
since he either agreed or disagreed with this in this message,
I'm not sure which:-)
  http://www.openldap.org/lists/openldap-devel/200810/msg00116.html
I knew there was an issue about these limits I had forgotten.


Comment 1 Hallvard Furuseth 2008-11-16 07:44:05 UTC
moved from Incoming to Software Bugs
Comment 2 Quanah Gibson-Mount 2020-09-22 15:40:36 UTC
Invalid, binding as a zero length DN is anonymous
Comment 3 Quanah Gibson-Mount 2020-09-22 15:42:13 UTC
Putting email discussion in for posterity:

Hallvard B Furuseth wrote:

    hallvard@OpenLDAP.org writes:

        	limits.c  1.83 -> 1.84
        More ITS#5734: Handle empty o_req_ndn.  (...)


    This gets somewhat inconsistent:


    dn.this.<subtree or exact>="" now matches target DN "".  However, to
    preserve backwards compatibility, dn.<subtree or exact>="" does not
    match anonymous binding.


    OTOH, limits dn.<anything>=* becomes limits *, again preserving
    backwards compatibility.  However dn.<onelevel or children>=*
    should not match empty target DN/anonymous connections.


    Should we leave it as it is?  Or change the old behavior?  And if so,
    does an anonymous connection have a DN so it should match "", or not?


"" is a valid DN, but not a valid entry name (AFAIK). That's why we use it for anonymous. ACLs and limits use the notion of DN to indicate two different things: the target and the user. Of course, although "" is a valid target, it is not a valid user (or, it indicates the empty user, and thus anonymous). I'm not sure I entirely got the point and whether this helps or not, but the semantics should be clear.

    Or we could make them errors to avoid admins seeing unexpected behavior
    for a config which slapd accepts.  These cases seem fairly useless, but
    could arise from something like an auto-generated config files when the
    admin inputs suffix "".


In any case, I'd prefer the original behavior be preserved as much as possible, and I'd prefer to avoid introducing pitfalls that easily trick admins (and wannabe admins) in persevering making the same errors over and over.

p.
Comment 4 Quanah Gibson-Mount 2020-09-22 15:43:02 UTC
hallvard@OpenLDAP.org writes:
> 	limits.c  1.83 -> 1.84
> More ITS#5734: Handle empty o_req_ndn.  (...)

This gets somewhat inconsistent:

dn.this.<subtree or exact>="" now matches target DN "".  However, to
preserve backwards compatibility, dn.<subtree or exact>="" does not
match anonymous binding.

OTOH, limits dn.<anything>=* becomes limits *, again preserving
backwards compatibility.  However dn.<onelevel or children>=*
should not match empty target DN/anonymous connections.

Should we leave it as it is?  Or change the old behavior?  And if so,
does an anonymous connection have a DN so it should match "", or not?

Or we could make them errors to avoid admins seeing unexpected behavior
for a config which slapd accepts.  These cases seem fairly useless, but
could arise from something like an auto-generated config files when the
admin inputs suffix "".