[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7863) Invalid DN syntax (34) not written by slapo-accesslog

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7863) Invalid DN syntax (34) not written by slapo-accesslog
From: hyc@symas.com
Date: Thu, 29 May 2014 23:33:35 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

pierangelo.masarati@polimi.it wrote:
> It now comes to my mind that another perhaps less intrusive chance of
> intervention could be to act at the *response* level.  Think of:
>
> - the possibility to stack code in the response chain (not necessarily
> overlays)
>
> - have a way to understand if the response originates *before* the
> frontend was called
>
> In this case, the custom code could re-parse the request to re-detect
> why it failed and handle it (e.g. log custom information on failure
> reason).  Not a piece of cake, but probably less intrusive than other
> options.  (I'm not sure the raw request buffer is still available at
> this stage, though.)

Still not something useful for slapo-accesslog - we're storing log info as 
LDAP attributes. We can't store reqDN if the DN has invalid syntax. We can't 
store reqMod values if the attributetype is unknown or the values are invalid. 
When a request fails validation it's literally garbage, and toxic - cannot be 
considered safe to preserve in a DB.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#7863) Invalid DN syntax (34) not written by slapo-accesslog
Next by Date: Re: (ITS#7863) Invalid DN syntax (34) not written by slapo-accesslog
Index(es):
- Chronological
- Thread