Detecting an error from ldap_get_values()

[Julio Sánchez Fernández <j_sanchez@stl.es>]

I was experimenting with LDAP in sendmail 8.10.0 and I found a problem
that keeps me wondering.

The problem comes when using the development version of OpenLDAP.  It
is unknown whether this happens elsewhere, though the code in sendmail
takes care of it for OpenLDAP 1.2.x.

Well, the problem is when searching a map that returns no values (it is
looking for mailroutingaddress, in case you are interested, an attribute
that may be absent according to the laser mail routing draft).  Sendmail
contains the following code fragment:

	vals = ldap_get_values(lmap->ldap_ld, entry,
			       attr);
	if (vals == NULL)
	{
		errno = ldapmap_geterrno(lmap->ldap_ld);
		if (errno == LDAP_SUCCESS)
			continue;

		/* Must be an error */

I.e., it tries to check the error after getting a NULL from ldap_get_values.
However, according to the C API draft, NULL means either no value or an
error.  Sendmail tries to find out what it was by calling ldap_get_option
for LDAP_OPT_ERROR_NUMBER and it gets a random result.  According to the
C API draft again, it returns "the code of the most recent LDAP error that
ocurred for this session".  So, it is not guaranteed to return anything
meaningful unless we know an error just happened.

I think sendmail, per the spec, is wrong in trying to do this.  However, it
is legitimate on their part to want to tell an empty result from a genuine
error.

So, the options are:

	- Fix sendmail
	- Put code in OpenLDAP to help sendmail
	- Take it with ietf-ldapext

Opinions?

Julio