[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6545) delta-syncrepl rejects modification master accepted



ondra@mistotebe.net wrote:
> On Wed, Apr 05, 2017 at 04:14:12PM +0200, Michael Ströder wrote:
>> ondra@mistotebe.net wrote:
>>> On Wed, Apr 05, 2017 at 07:32:46AM -0400, Frank Swasey wrote:
>>>> Thanks for the patch to provide a test script that just shows the same
>>>> thing.
>>>>
>>>> I see two possible solutions:
>>>>
>>>>  1) replacing the same attribute twice in the same modify LDIF is illegal
>>>> (as it was in older releases)
>>>
>>> AFAIK, LDAP doesn't forbid it so I don't see that going away.
>>
>> Yes, there's no text in RFC 4511 which forbids this:
>> https://tools.ietf.org/html/rfc4511#section-4.6
>>
>> However personally I consider LDAP clients sending modify requests like this to be
>> broken/mis-behaving. (And I'd like to know which LDAP clients were causing this ITS.)
> 
> I'm not saying it's common or good practice ;)
> 
>> => There could be a slapd per-backend configuation directive to disallow it with a
>> strong hint in the docs recommending to disallow it when using delta-syncrepl.
>>
>> Suggestion:
>> disallow mod_attr_repeated
> 
> In my view, that's more pain than it's worth.

Hmm, I think slapd should be able to disallow a crazy modify request like this:

dn: cn=foobar,dc=example,dc=com
changetype: modify
replace: description
description: foobar1
-
replace: description
description: foobar2
-
..
replace: description
description: foobar1000
-

Ciao, Michael.