[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP behavior with regards to MessageID and the RFC

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Michael Torrie

> I'm writing a special-purpose LDAP proxy server that has the
> ability to
> modify ldap messages it receives (raw wire protocol here)
> from a client
> before passing it to the server (in my case OpenLDAP 2.0 and 2.1).

First the obvious question - what is so special about your proxy server that
cannot be accomplished using OpenLDAP's existing proxy mechanisms? (e.g.,
back-ldap and/or back-meta)

> In
> order to stay correct I have read the RFCs on LDAPv3 wire
> protocol so as
> not to break anything.  I have a question on how OpenLDAP
> implements the
> MessageID aspect of the RFC.
> The RFC 2251 states simply that the MessageID cannot be
> reused over the
> course of a connection; each request must have a different MessageID
> than any outstanding request; and that typically the MessageID is
> incremented [by one].
> Now my questions.  OpenLDAP (server and client libraries
> start at 1 and
> simply increment it for every request.  As I read the RFC, the client
> could increment, decrement or make random the MessageID so long as the
> above-mentioned rules are followed and everything should work
> fine.  In
> my testing of my proxy server, in one instance I accidentally
> incremented the MessageID such that it was more than 1
> greater than the
> previous MessageID that the request the server had last received and
> OpenLDAP 2.0 never responded to it.  Is this a bug in OpenLDAP?  (It's
> been a long time since I tried this -- it was a bug in my program that
> has been corrected).

OpenLDAP 2.0 has been unsupported for quite a while, so none of my email
addresses it.

There is nothing in the code that requires the MessageID to follow any
particular sequence. In fact the MessageID is not validated in any way at
all. You could use a constant MessageID for all of your requests and slapd
would blithely answer. As long as you only have one request outstanding at a
time, you'd never have any problem doing this, either. (But relying on this
fact would be a mistake. The current slapd behavior should be considered a
bug. At the very least, slapd should make sure the MessageIDs of all
operations currently queued on a given connection are unique.)

> At any rate, my proxy server currently only functions if the MessageID
> is incremented by the client for each request by one, which could be a
> problem as I read the RFCs.  In practice does any client ever choose
> MessageIDs other than how the OpenLDAP client libraries do?
> Furthermore, in practice (besides the abort request) are there ever
> multiple requests in progress and does OpenLDAP handle that?
> All of the
> LDAP transactions I've ever sniffed seemed to be strictly request and
> response.

You cannot assume that a client will wait for a response to each request
before sending the next. The protocol allows multiple requests to be
outstanding at once, and many common programs (e.g. sendmail) take full
advantage of that fact. (Yes, slapd handles this.) Nor should your server
require the MessageID to follow such a rigid pattern, as any LDAP client can
choose some other arbitrary MessageID sequence.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support