[Date Prev][Date Next] [Chronological] [Thread] [Top]

do_modify & referral


 I am using latest openldap from cvs repository, solaris 5.7
and SASL+GSSAPI for authentication. I am testing the referrals,
ldapsearch and ldapmodify with -C and -M flags. 

 I have an entry with referral line like this in the first server,

dn: hn=hammie.isi.edu, o=Grid
blah blah
ref: ldap://hammie.isi.edu:5001/hn=hammie.isi.edu,o=Globus,c=US

 During a search with -C, the first server will return the complete
url to the client and client lib do referral chasing to the 2nd server 
by generating correct search request call with the new dn.

 But during a modify with -C, the client only gets first part of the 
referral url from the server. Therefore, when encoding the new request,
the original dn was reused instead of the one from the referral line.

 Tracing the first server's code, for modify, 
do_modify -> ldbm_back_referrals ->ldbm_referrals and then
send_ldap_result is called to send back the referral string.
But in send_ldap_result, following check trimmed out the tail 
end of the url before send_ldap_response is called to do the 
actually send.

        if( op->o_tag != LDAP_REQ_SEARCH ) {
                trim_refs_urls( ref );

 Tracing the case for search,
send_search_reference calls access_allowed and when that is done 
the complete referral line is packed into a ber structure and 
send_ldap_ber is called to send it back.

 So, I was wondering if the server suppose to drop the dn from referral
line for modify operation and also if allow_access should be called to check
the permission to access the entry for modify just as it does for the
search operation?

 If you need the actual call stack from a trace, please let me know.