[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6421) simple filter with no brackets breaks slapo-dynlist(5)

> masarati@aero.polimi.it writes:
>> When a memberURL contains a simple filter with no brackets, like
>> ldap:///ou=People,dc=example,dc=com???objectClass=person
>> slapo-dynlist(5) is unable to build the composite filter needed
>> for the related internal search.
>> A fix is coming.
> Are you sure that's a good idea to fix?
> It's not a valid LDAP filter, even though OpenLDAP accepts it in
> many places.  That we accept it from users in tools is fair enough,
> but I'm not sure it's a good idea to accept them on the server side.
> Makes them one step closer to interoperability problems if they
> reach other servers that do not slap on the necessary parens.

Well, the fact is that memberURL is stored in the data.  As soon as we
accept that value, we need to deal with it.  The current behavior of
slapo-dynlist(5) consists in ignoring it (the resulting filter cannot be
parsed).  We should rather reject values like this when written in the
database, but this would probably break other applications.  So I believe
the fix is better than silently ignoring these values.