[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Search Base (ITS#490)


   I was asking on the developer's list about how OpenLDAP should handle
requests that come in that have a NULL searchbase. It was recommendeded to
me to look into the fix that involves LDAP_ALLOW_NULL_SEARCH_BASE in

   I did look into it, and that fix doesn't work. do_search() will call
select_backend() and get a default backend pointer in return, but the
normalized search base "nbase" is still a 0 length string. This gets
passed into the back end search function, e.g. ldbm_back_search(), and
will result in a failure.

   A NULL or 0 length search base would need to be changed into a valid DN
as soon as it is BERdecoded out of the request.  This would be done for
each do_ function that is to accept these bogus requests. I appended some
example for doing this in do_search().

   Mind you, I'm still opposed to supporting clients that send these 
broken requests, but that's a personal decision. I wanted to point out
here that the NULL_SEARCH_BASE fix was still failing to fix the problem
for me.

-Mark Adamson
 Carnegie Mellon

in do_search(), servers/slapd/search.c:

+ 	/* addition for CE machines that send NULL search base */
+ 	if ( (base == NULL) || (base[0] == '\0') ) {
+ 		if ( nbackends ) {
+ 			if ( base ) free( base );
+ 			base = ch_strdup( backends[0].be_nsuffix[0] );
+ 		}
+ 	}
+ #endif
	nbase = ch_strdup( base );

	if( dn_normalize( nbase ) == NULL ) {
		send_ldap_result( conn, op, LDAP_INVALID_DN_SYNTAX,
			NULL, "invalid DN", NULL, NULL );
		rc = -1;
		goto return_results;