[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Search Base (ITS#490)
Redirected to devel:
Redirected to devel for discussion purposes...
At 06:59 PM 3/30/00 GMT, adamson@andrew.cmu.edu wrote:
> I was asking on the developer's list about how OpenLDAP should handle
>requests that come in that have a NULL searchbase.
With 2.0:
with scope base should access the RootDSE.
with scope one should access each entry at the root of namingContexts
which have one component (ie: "dc=com", "c=US") DN.
with scope sub should access all entries within a namingContext which
has a one component (ie: "dc=com", "c=US") DN.
If the scope is not base and no namingContext has a one component
DN, then the search MUST return NoSuchObject.
All other operations should act upon the RootDSE itself.
>It was recommendeded to
>me to look into the fix that involves LDAP_ALLOW_NULL_SEARCH_BASE in
>servers/slapd/backends.c
LDAP_ALLOW_NULL_SEARCH_BASE is an unsupported hack as enabling such
breaks the X.500 model. However, I don't mind committing changes
to this hack to make it do what folks want it to do.
> I did look into it, and that fix doesn't work.
Just don't call it a fix. It's a hack which is specifically
designed to break slapd to workaround broken clients. [In
particular, it will hose superior referrals.]
I suggest all users to seek fixes from their vendors.
>do_search() will call
>select_backend() and get a default backend pointer in return, but the
>normalized search base "nbase" is still a 0 length string. This gets
>passed into the back end search function, e.g. ldbm_back_search(), and
>will result in a failure.
>
> A NULL or 0 length search base would need to be changed into a valid DN
>as soon as it is BERdecoded out of the request. This would be done for
>each do_ function that is to accept these bogus requests. I appended some
>example for doing this in do_search().
>
> Mind you, I'm still opposed to supporting clients that send these
>broken requests, but that's a personal decision. I wanted to point out
>here that the NULL_SEARCH_BASE fix was still failing to fix the problem
>for me.
>
>
>-Mark Adamson
> Carnegie Mellon
>
>
>
>
>in do_search(), servers/slapd/search.c:
>
>
>+ #ifdef LDAP_ALLOW_NULL_SEARCH_BASE
>+ /* addition for CE machines that send NULL search base */
>+ if ( (base == NULL) || (base[0] == '\0') ) {
>+ if ( nbackends ) {
>+ if ( base ) free( base );
>+ base = ch_strdup( backends[0].be_nsuffix[0] );
>+ }
>+ }
>+ #endif
>+
> nbase = ch_strdup( base );
>
> if( dn_normalize( nbase ) == NULL ) {
> send_ldap_result( conn, op, LDAP_INVALID_DN_SYNTAX,
> NULL, "invalid DN", NULL, NULL );
> rc = -1;
> goto return_results;
> }
>
>
>
>