Re: (ITS#7353) Handling request controls that include spurious control values

[masarati@aero.polimi.it]

> mhardin@symas.com wrote:
>> Some clients, like Oracle SGD, incorrectly implement the password polic=
> y request
>> control by including a zero-length control value with the request contr=
> ol.
>> OpenLDAP reports "passwordPolicyRequest control value not absent" and f=
> ails the
>> operation with a Protocol Error (2). While this behavior follows the le=
> tter of
>> RFC 4511, the control value in this case is zero-length and therefore h=
> armless.
>> Failing in this case seems merely punctilious, and has no real benefit.=
>  For
>> reference, OpenLDAP 2.3 allowed a zero-length control value.
>
> For the very same reason I've added a work-around in upcoming python-ldap=
>
> 2.4.11 to handle non-decodable control response values as being absent in=
>  case
> CRITICAL flag is False. (Apache DS 2.0.0M7 also returns such an invalid
> zero-length value in password policy response control.)
>
> I'd appreciate to discuss a bit further whether that's the right approach=
> =2E
> Maybe we should take this to ietf-ldapbis mailing list as interop issue?

Occasionally, we handled malformed or non-standard control values (I
recall something about the many versions of the proxiedAuthz control). 
Our usual policy was to be "tolerant" about what comes in, possibly by
requiring an explicit configuration statement to enable "tolerance"
(usually, an admin knows when his system works in a broken environment,
and wants to be able to decide whether being tolerant or not).  So I
favour allowing the administrator to explicitly enable tolerance with
respect to malformed controls (my 2c).

p.