[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#8061) Base object returned when searching with scope: singleLevel (1) when using mdb backend and paged results
- To: openldap-its@OpenLDAP.org
- Subject: (ITS#8061) Base object returned when searching with scope: singleLevel (1) when using mdb backend and paged results
- From: frederic.jacquot@insa-lyon.fr
- Date: Wed, 18 Feb 2015 15:49:40 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Frederic Jacquot
Version: 2.4.40
OS: Ubuntu 14.04.1 LTS
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (134.214.252.20)
Hi,
I think I discovered a bug with OpenLDAP 2.4.40, using an mdb backend.
If you do a simple search request with no pagination and a SingleLevel (1)
scope, everything is ok. But if you enable pagination for the same search, the
base will also be returned in the search results. This breaks RFC 4511,
paragraph 4.5.1.2 (SearchRequest.scope) :
"singleLevel: The scope is constrained to the immediate subordinates of the
entry named by baseObject."
To reproduce the problem, I compiled a fresh OpenLDAP 2.4.40 with --enable-mdb.
I then created a root entry :
dn: dc=my-domain,dc=com
objectClass: dcObject
objectClass: organization
dc: my-domain
o : my-domain
You can now compare search results.
This is for a simple search :
ldapsearch -s one -h localhost -b "dc=my-domain,dc=com" -w secret -D
"cn=Manager,dc=my-domain,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=my-domain,dc=com> with scope oneLevel
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
Which is ok.
This is the same query with paged results enabled :
ldapsearch -s one -h 134.214.182.252 -b "dc=my-domain,dc=com" -w secret -D
"cn=Manager,dc=my-domain,dc=com" -E pr=100
# extended LDIF
#
# LDAPv3
# base <dc=my-domain,dc=com> with scope oneLevel
# filter: (objectclass=*)
# requesting: ALL
# with pagedResults control: size=100
#
# my-domain.com
dn: dc=my-domain,dc=com
objectClass: dcObject
objectClass: organization
dc: my-domain
o: my-domain
# search result
search: 2
result: 0 Success
control: 1.2.840.113556.1.4.319 false MAUCAQAEAA==
pagedresults: cookie=
# numResponses: 2
# numEntries: 1
The base object is returned, but shouldn't be.
This behaviour shows an endless recursive directory hierarchy in some LDAP
browsers (sometimes crashing them). It can also create endless loops in some
applications querying the LDAP server (Canon Uniflow in my case).
Regards,
Frederic Jacquot
INSA Lyon