[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5339) wrong referral from back-bdb

Howard Chu writes:
>h.b.furuseth@usit.uio.no wrote:
>>Howard Chu writes:
>>>> Both RFCs disagree.
>>> They are wrong. Or at least, under-specified. In X.501 section 17.3
>>> "Directory Distribution Model" it's quite clear that all of the
>>> components of a distributed directory must belong to a single DIT.
>> Which is not true in the LDAP world, and I don't know about today's
>> X.500 world.  Nameflow died and Dante was unable to resurrect it.  Maybe
>> the X.500 world has also switched to 'dc' structure, I don't know.
>> Anyway, LDAP is not X.500.
> RFC4510 Section 2 "Relationship to X.500"
>     (...) An LDAP server MUST act in accordance with the X.500 (1993)
>     series (...)

Except when it doesn't.  Like the various implications of sending text
instead of ASN.1 and numeric OIDs.

> (...)  LDAPv1 had no referrals. When they were introduced in LDAPv2
> it's clear that nobody knew what they were doing, or nobody wanted to
> tackle the glaring absence of an analogue to X.500 DSP.

LDAPv2 (the standard) has no referrals.  The Umich implementation
introduced them as a hack: It stuffed them into the errorMessage field.
LDAPv3 moved them into the standard.  And speaking for my own little
corner of the standardization process, I definitly was ignorant about
them and wanted nothing to do with them.  I've still never had any use
for LDAP referrals.

> They should never have been introduced.  We're stuck with them for
> now, but we can at least try to make them make sense.

Well, take it up with ldapext.  And add an option to slapd to reject
attempts to add 'ref' attrs with a DN, or whatever.

For now, once the directory contains a 'ref' URL which includes the DN,
I don't see any reason not to rewrite like the spec says.  Whatever the
"right answer" is, a referral with an un-rewritten DN seems worse than
with a rewritten one.

Regarding the branches of bdb_referrals() and ldif_back_referrals()
which rewrite default_referral: I suggest we delete it.
The back-ldif code breaks exactly as one would expect:  With
    referral ldap://urgle/
    database ldif
    suffix   o=foo
and an empty database, ldapcompare cn=bar,o=foo gives a referral to
urgle.  So does ldapadd of o=foo:-(  I seem to remember someone meant
the latter was correct and there was a control to prevent it at some
point, maybe that is related.  back-bdb has a test which prevents this
referral in case of the suffix dn, but not for superior DNs.  But I
don't see why it would not be just as buggy for superiors, if it could