[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5980) libldap referral chasing now returns referral (10) and matchedDN

Pierangelo Masarati wrote:
> hyc@symas.com wrote:
>> ando@sys-net.it wrote:
>>> Full_Name: Pierangelo Masarati
>>> Version: HEAD/re24
>>> OS: irrelevant
>>> URL: ftp://ftp.openldap.org/incoming/
>>> Submission from: (NULL) (
>>> Submitted by: ando
>>> Probably a side-effect of fixing ITS#5853: when setting LDAP_OPT_REFERRALS,
>>> libldap automatically chases any referrals, but at the end returns a response
>>> with ld_errno set to 10 and ld_matched set to the portion of DN that was matched
>>> in the initial request.  This is because the corresponding fields in the parent
>>> request are not cleared when the referral is successfully chased.  I'm trying to
>>> fix this, but it's not clear to me when success should be detected: at
>>> successful referral chasing request submission, I guess?
>> When does this behavior? It doesn't show up in e.g. test009...
> If you have a subordinate reference in server1 that points to server2
> and you search server1 using the DN of the subordinate reference.  What
> I do is:
> - fire test003
> - create a slapd.2.conf with suffix "ou=Other,dc=example,dc=com"
> - populate server1 with
> dn: ou=Other,dc=example,dc=com
> objectClass: referral
> objectClass: extensibleObject
> ou: Other
> ref: ldap://:9012/ou=Other,dc=example,dc=com
> - populate server2 with
> dn: ou=Other,dc=example,dc=com
> objectClass: organizationalUnit
> ou: Other
> dn: cn=Foo Bar,ou=Other,dc=example,dc=com
> objectClass: device
> cn: Foo Bar
> - search server1 for "ou=Other,dc=example,dc=com"

According to libldap/request.c this test is invalid; find_connection will not 
match URLs with empty hostname. That code has been like that for several 
years. Perhaps the test for empty hostname should be dropped, but in real 
deployments a referral to localhost doesn't make a lot of sense anyway.
> Apparently, test009 is only testing the superior reference.  test016
> tests subordinate references, but without even trying -C.  I think the
> test should be modified to be run once without and once with -C in order
> to test the library's behavior.  I believe automatic referral chasing
> should be deprecated, but I fear there are tons of code out there that
> rely on it.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/