[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: wildcard search

To: Peter Schober <peter.schober@univie.ac.at>
Subject: Re: wildcard search
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 11 Aug 2004 10:19:07 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <20040809175837.GA14027@univie.ac.at>
References: <20040809132830.GA13463@univie.ac.at> <956616B0373B3B658FD1B65A@cadabra.stanford.edu> <20040809175837.GA14027@univie.ac.at>

Looks to me like the client asserted a filter which contained
four invalid substrings assertions.  Without details of the
PDU (hexdump of the BER encoded LDAP message), it's hard to
say what exactly the client is doing, but I would guess it
not properly escaping user input when producing the string
representation of the search filter it passes to the LDAP
client library it is calling, resulting in unexpected behavior.
That is, I assume it is treating your "*" input just as it
did "blah", disregarding the fact that "*" is special to the
filter string representation.  That leads to things like
(cn=***), an assertion of two empty ANY substrings.  As
substrings of the Directory String syntax cannot be empty,
each of the assertions is Undefined.

At 10:58 AM 8/9/2004, Peter Schober wrote:
>Quanah,
>
>* Quanah Gibson-Mount <quanah@stanford.edu> [2004-08-09 19:04]:
>> You might test having a slapd running with "-d -1" and watch the
>> output from a single wildcard search...
>
>that's exactly what I did. from all the entries in the log I picked
>the one I thought might explain best what I don't understand
>here. the sourrounding entries look like this, but won't explain much:
>
>SRCH "ou=whatever,dc=example,dc=com" 2 0
>    100 0 0
>begin get_filter
>OR
>begin get_filter_list
>begin get_filter
>SUBSTRINGS
>begin get_ssa
>end get_ssa
>end get_filter 0
>begin get_filter
>SUBSTRINGS
>begin get_ssa
>end get_ssa
>end get_filter 0
>begin get_filter
>SUBSTRINGS
>begin get_ssa
>end get_ssa
>end get_filter 0
>begin get_filter
>SUBSTRINGS
>begin get_ssa
>end get_ssa
>end get_filter 0
>end get_filter_list
>end get_filter 0
>    filter: (|(?=undefined)(?=undefined)(?=undefined)(?=undefined))
>    attrs:
> modifytimestamp
> [and many other attributes following including the ones mozilla
>  searched for]
>
>so that seems to be the textual description of my search, with "OR",
>"filter lists" and "SUBSTRINGS". Don't know what "get_ssa" is (search
>string something?).
>the only difference from the entries in the other server (where the
>search works) seem to be that where "get_ssa" is in 2.2.13 I find
>"begin get_substring_filter" in the ancient 2.1.4.
>
>any ideas? more logs? ;)
>-p.schober
>
>-- 
>Peter.Schober@univie.ac.at - Vienna University Computer Center
>Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
>Tel. +43-1-4277-14155, Fax. +43-1-4277-9140

Follow-Ups:
- Re: wildcard search
  - From: Peter Schober <peter.schober@univie.ac.at>

References:
- wildcard search
  - From: Peter Schober <peter.schober@univie.ac.at>
- Re: wildcard search
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: wildcard search
  - From: Peter Schober <peter.schober@univie.ac.at>

Prev by Date: Re: authentication with TLS
Next by Date: SLAPD denial of connections under load
Index(es):
- Chronological
- Thread