[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Search Base (ITS#490)



Redirected to devel:

Redirected to devel for discussion purposes...

At 06:59 PM 3/30/00 GMT, adamson@andrew.cmu.edu wrote:
>   I was asking on the developer's list about how OpenLDAP should handle
>requests that come in that have a NULL searchbase.

With 2.0:

with scope base should access the RootDSE.
with scope one should access each entry at the root of namingContexts
which have one component (ie: "dc=com", "c=US") DN.
with scope sub should access all entries within a namingContext which
has a one component (ie: "dc=com", "c=US") DN.

If the scope is not base and no namingContext has a one component
DN, then the search MUST return NoSuchObject.

All other operations should act upon the RootDSE itself.

>It was recommendeded to
>me to look into the fix that involves LDAP_ALLOW_NULL_SEARCH_BASE in
>servers/slapd/backends.c

LDAP_ALLOW_NULL_SEARCH_BASE is an unsupported hack as enabling such
breaks the X.500 model.  However, I don't mind committing changes
to this hack to make it do what folks want it to do.

>   I did look into it, and that fix doesn't work.

Just don't call it a fix.  It's a hack which is specifically
designed to break slapd to workaround broken clients.  [In
particular, it will hose superior referrals.]

I suggest all users to seek fixes from their vendors.

>do_search() will call
>select_backend() and get a default backend pointer in return, but the
>normalized search base "nbase" is still a 0 length string. This gets
>passed into the back end search function, e.g. ldbm_back_search(), and
>will result in a failure.
>
>   A NULL or 0 length search base would need to be changed into a valid DN
>as soon as it is BERdecoded out of the request.  This would be done for
>each do_ function that is to accept these bogus requests. I appended some
>example for doing this in do_search().
>
>   Mind you, I'm still opposed to supporting clients that send these 
>broken requests, but that's a personal decision. I wanted to point out
>here that the NULL_SEARCH_BASE fix was still failing to fix the problem
>for me.
>
>
>-Mark Adamson
> Carnegie Mellon
>
>
>
>
>in do_search(), servers/slapd/search.c:
>
>
>+ #ifdef LDAP_ALLOW_NULL_SEARCH_BASE
>+ 	/* addition for CE machines that send NULL search base */
>+ 	if ( (base == NULL) || (base[0] == '\0') ) {
>+ 		if ( nbackends ) {
>+ 			if ( base ) free( base );
>+ 			base = ch_strdup( backends[0].be_nsuffix[0] );
>+ 		}
>+ 	}
>+ #endif
>+ 
>	nbase = ch_strdup( base );
>
>	if( dn_normalize( nbase ) == NULL ) {
>		send_ldap_result( conn, op, LDAP_INVALID_DN_SYNTAX,
>			NULL, "invalid DN", NULL, NULL );
>		rc = -1;
>		goto return_results;
>	}
>
>
>
>