[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5927) assertion error when using pcache

mhardin@symas.com wrote:
> Some additional information:
> Some objects being returned from AD have very large multi-valued  
> attributes (for example, member). AD is returning them in the ";range"  
> format, but they are not getting past back-meta. For example, a direct  
> search for the object in AD will return stuff like this:
> member;range=0-1499: CN=Alice Bar,OU=My-Company-Accounts,OU=User  
> Accounts,OU=Common,DC=my-company,DC=com
> but doing the same search through slapd/back-meta using the same  
> credentials, the member attribute is not displayed at all. There are  
> no attribute maps in place that would cause this.

Apparently, that was it: back-meta (and back-ldap) was ignoring 
attribute names that cannot be parsed, but it was not discarding their 
values.  Should be fixed now in HEAD.  Please test.

BTW, it seems that proxy backends could try to exploit this in order to 
intercept value ranges returned by AD and consolidate them in a single, 
LDAP compliant entry.  Not something I'm too excited about, though.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it