[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5751) undefined value in slapo-constraint with bad filter

michael@stroeder.com wrote:
> hyc@symas.com wrote:
>> h.b.furuseth@usit.uio.no wrote:
>>> Full_Name: Hallvard B Furuseth
>>> Version: HEAD, RE24
>>> OS:
>>> URL:
>>> Submission from: (NULL) (
>>> Submitted by: hallvard
>>> overlays/constraint.c:constraint_violation() uses and maybe returns an
>>> undefined value in 'rc' if the filter is bad (nop.ors_filter == NULL).
>>> I have no idea what rc should be in this case.
>>> Introduced in constraint.c 1.18 (OpenLDAP 2.4.12).
>> Probably should just set rc=LDAP_SUCCESS in this case. The constraint is 
>> invalid, so it cannot be violated.
> Hmm, I'd prefer a strong indication that the constraint is invalid.
> If it can be proven that the filter is bad slapo-constraint should
> probably stop during startup with an appropriate message. Otherwise
> returning constraintViolation would be appropriate either since the LDAP
> client fails then and it makes admins search for the cause of it.

I concur.  I've made slapo-constraint(5) return LDAP_OTHER, so it's 
clear that there's something wrong.  Returning LDAP_CONSTRAINT_VIOLATION 
would have erroneously indicated that the value was not allowed but 
everything was working fine.  Please test.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it