Full_Name: Quanah Gibson-Mount Version: 2.4.46 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.239) As noted in the OpenLDAP source (http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=servers/slapd/controls.c;hb=refs/heads/OPENLDAP_REL_ENG_2_4#l323) there is an issue with controls being reset with a new extended operation. This is problematic for a proxy auth mechanism being developed, as it needs to have the controls preserved while passing an extended op to slapd. A possibility would be to re-register the control, adding the corresponding extended operations, but the parsing function resets them so this unfortunately is not an option.
On Fri, May 04, 2018 at 09:21:59PM +0000, quanah@openldap.org wrote: > As noted in the OpenLDAP source > (http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=servers/slapd/controls.c;hb=refs/heads/OPENLDAP_REL_ENG_2_4#l323) > there is an issue with controls being reset with a new extended operation. This > is problematic for a proxy auth mechanism being developed, as it needs to have > the controls preserved while passing an extended op to slapd. > > A possibility would be to re-register the control, adding the corresponding > extended operations, but the parsing function resets them so this unfortunately > is not an option. The issue is actually allowing existing controls to be used with newly registered exops, since the only way to declare the compatibility would be by re-registering the control. Problem there is that built-in controls have everything static to controls.c, so it's not even possible to do that. A solution would be to add another piece of API that receives a pair of (control OID, exop OID), finds the control and adds the OID to the sc_extendedops(bv) lists. Going to do just that (register_control_exop() a decent name?). Cheers, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
ondra@mistotebe.net wrote: > On Fri, May 04, 2018 at 09:21:59PM +0000, quanah@openldap.org wrote: >> As noted in the OpenLDAP source >> (http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=servers/slapd/controls.c;hb=refs/heads/OPENLDAP_REL_ENG_2_4#l323) >> there is an issue with controls being reset with a new extended operation. This >> is problematic for a proxy auth mechanism being developed, as it needs to have >> the controls preserved while passing an extended op to slapd. >> >> A possibility would be to re-register the control, adding the corresponding >> extended operations, but the parsing function resets them so this unfortunately >> is not an option. > > The issue is actually allowing existing controls to be used with newly > registered exops, since the only way to declare the compatibility would > be by re-registering the control. Problem there is that built-in > controls have everything static to controls.c, so it's not even possible > to do that. > > A solution would be to add another piece of API that receives a pair of > (control OID, exop OID), finds the control and adds the OID to the > sc_extendedops(bv) lists. > > Going to do just that (register_control_exop() a decent name?). Makes sense. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On Tue, May 08, 2018 at 04:09:12PM +0000, hyc@symas.com wrote: > ondra@mistotebe.net wrote: >> The issue is actually allowing existing controls to be used with newly >> registered exops, since the only way to declare the compatibility would >> be by re-registering the control. Problem there is that built-in >> controls have everything static to controls.c, so it's not even possible >> to do that. >> >> A solution would be to add another piece of API that receives a pair of >> (control OID, exop OID), finds the control and adds the OID to the >> sc_extendedops(bv) lists. >> >> Going to do just that (register_control_exop() a decent name?). This implementation is in the ITS8845 branch of my GitHub repo: https://github.com/mistotebe/openldap/tree/ITS8845 -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
changed notes moved from Incoming to Software Enhancements
Added to master
changed notes changed state Open to Test