[Date Prev][Date Next]
Re: Please tell me I have something configured wrong...
Well, I did some digging in the RFCs and I really can't find anything that says the LDAP server can't handle the DN a little better. Can you point me specifically to the RFC and section that deals with this topic?
Also, for my own sanity, maybe someone can clarify this for me. The LDAP RFCs seem to deal with the LDAP protocol itself and really don't impose much restriction on the DIT implementation. This issue of OpenLDAP allowing invalid DNs into the DIT seems to be an issue with the DIT implementation. Following this reasoning, this is a bug and should be fixed.
>>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 08/15/02 09:14PM >>>
At 07:19 AM 2002-08-15, Tony Thompson wrote:
>I have a groupOfNames object and I am adding members to the group. I noticed that I can any DN to the "member" attribute, even if the DN doesn't exist. For example, I added "cn=fred,dc=example,dc=com" as a "member" of my group. My suffix is not "dc=example,dc=com" and I don't have an object named "fred" anywhere in my database. I tested adding a string linke "nothing" and it failed because it didn't follow the syntax rules. I could however add "cn=nothing" and it worked.
>Is there a way to make OpenLDAP verify that the DN that is being added is valid and fail the operation if it is not?
No. The LDAP technical specification prohibit the server from
checking whether a DN provided as a value of a user application
attribute refers to an existing entry or not.