OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/8923
Full headers

From: quanah@openldap.org
Subject: compare op with dynlist returns wrong code when requested DN is in scope but doesn't exist
Compose comment
Download message
State:
0 replies:
0 followups:

Major security issue: yes  no

Notes:

Notification:


Date: Wed, 03 Oct 2018 20:25:43 +0000
From: quanah@openldap.org
To: openldap-its@OpenLDAP.org
Subject: compare op with dynlist returns wrong code when requested DN is in scope but doesn't exist
Full_Name: Quanah Gibson-Mount
Version: HEAD
OS: N/A
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (47.208.148.239)


In a situation where a dynamic group has been created and a compare operation is
run with a DN that doesn't exist but is within the scope of the dynamic group
URI, the ldapcompare operation will incorrectly return an error 80 instead of
error 5 (compare FALSE).

For example, if I have:

dn: cn=planning,ou=Groups,dc=example,dc=com
objectClass: groupOfURLs
cn: planning
memberURL: ldap:///ou=planning,dc=example,dc=com??sub?(objectClass=inetorgpers
 on)

and I do an ldapcompare with:

ldapcompare -x -H ldap://anvil2.rb.symas.net -D dc=example,dc=com -w secret
cn=planning,ou=Groups,dc=example,dc=com "member:cn=Ramakant
Wolow,ou=Planning,dc=example,dc=com"

(i.e., this entry doesn't exist in the DB), I get:

Compare Result: Other (e.g., implementation specific) error (80)
UNDEFINED

This appears to be due to the fact that in this scenario, slapd attempts to find
the DN in the underlying DB and it doesn't exist, so an err=32 is returned back.
 This is incorrectly interpreted as an unknown error, thus the err=80 result. 
Instead it should be treated as "not a member of the group".
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org