[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: back-dnssrv
> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Pierangelo Masarati
> >> > back-dnssrv seems to be lately broken.
> >> > Secondly, rs->sr_ref is uninitialized, which causes a further
> >> > assertion failure in send_ldap_response().
> >
> > This is very odd. None of the other backends have a problem
> with this,
> > and the SlapReply is exactly the same for all the code
> since it's only
> > initialized in one place, connection_operation().
> >>
> >> I'll have a look at it; probably the new ABI upgrade left over
> >> some typos/flaws.
>
> I applied a couple of fixes, which are blind because I don't
> have access to dns here. Please check.
I think we need to find out how an uninitialized SlapReply found its way into
this search function. That should cause problems for all the code, not just
back-dnssrv/search.c. Setting rs->sr_ref to NULL here is only masking the
real bug.
> I note that the compare
> function also asserted manageDSAit, but it is not set in the
> bi_info structure because it's not implemented; I don't know
> if it'll ever be useful, so I don't think we need to implement it.
Right, I have no idea what was ever intended for it. If it's never going to
be implemented we should just cvs rm the file. Kurt?
> I'd also like to integrate back-dnssrv into back-ldap, so that
> it can be configured with (empty?) suffix and default uri, and
> try to resolve the actual URI, but chasing the referral on behalf
> of the client, resorting to the default URI in case of no match.
> Maybe this operation might be stacked on top of back-ldap ...
Sounds like a good approach. But there are security considerations here as
far as how the referral should be chased. Since dnssrv can return a referral
to basically any LDAP server in the world, we should never use the current
"rebind-as-user" code. The chain config should have a set of URIs for which
mutual trust exists, with credentials for binding to each of them. Any other
URIs are by definition untrusted, and should be chased anonymusly.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support