[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4979) Bad response when requesting bad attributes

Hallvard B Furuseth a écrit :

>elecharny@apache.org writes:
>>ldapsearch -h localhost -p 10389 -D "uid=Admin,ou=system" -w secret -b
>>"dc=example,dc=com" -s sub "(objectClass=*)" person
>>will return all entries attributes, as if the 'person' was substituted
>>by "*"
>That is what RFC 4511 says.  Section (SearchRequest.attributes):
>  "If an attribute description in the list is not recognized, it is
>  ignored by the server."
>Ignoring "person" yields an empty list, which works like a "*".
>I'm guessing that's not what it was intended to say though.  RFC 1777
>(LDAPv2) did not have it, so 'person' would work like '1.1' does now.
Well, RFC 4511 just states that if the attribute is unknow, then it is 
ignored, but say nothing about using '1.1' or '*' .

Ignoring the only attributes given by the user and substitute a '*' to 
it is a violation of user intent, IMHO (even if this user was wrong when 
selecting the attribute).

RFC 4511 authors didn't thought of such a case, I guess ;)

Anyway, OpenLdap behave differently if the attribute is unknown (9.9.9) 
and when it is known by the server (at least, the OID is known, even if 
it's not an attribute object), when it should returns always the same 
result : either '*' or '1.1'. This is not the case, and it's not 
consistent, whatever RFC 4511 says - or omits to say :) -.