[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5927) assertion error when using pcache

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5927) assertion error when using pcache
From: ando@sys-net.it
Date: Sat, 7 Feb 2009 14:13:04 GMT

mhardin@symas.com wrote:
> Some additional information:
> 
> Some objects being returned from AD have very large multi-valued  
> attributes (for example, member). AD is returning them in the ";range"  
> format, but they are not getting past back-meta. For example, a direct  
> search for the object in AD will return stuff like this:
> 
> member;range=0-1499: CN=Alice Bar,OU=My-Company-Accounts,OU=User  
> Accounts,OU=Common,DC=my-company,DC=com
> 
> but doing the same search through slapd/back-meta using the same  
> credentials, the member attribute is not displayed at all. There are  
> no attribute maps in place that would cause this.

Apparently, that was it: back-meta (and back-ldap) was ignoring 
attribute names that cannot be parsed, but it was not discarding their 
values.  Should be fixed now in HEAD.  Please test.

BTW, it seems that proxy backends could try to exploit this in order to 
intercept value ranges returned by AD and consolidate them in a single, 
LDAP compliant entry.  Not something I'm too excited about, though.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Prev by Date: Re: (ITS#5927) assertion error when using pcache
Next by Date: Re: (ITS#5927) assertion error when using pcache
Index(es):
- Chronological
- Thread