[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: back-dnssrv



> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Pierangelo Masarati

> >> > back-dnssrv seems to be lately broken.

> >> > Secondly, rs->sr_ref is uninitialized, which causes a further
> >> > assertion failure in send_ldap_response().
> >
> > This is very odd. None of the other backends have a problem
> with this,
> > and the SlapReply is exactly the same for all the code
> since it's only
> > initialized in one place, connection_operation().
> >>
> >> I'll have a look at it; probably the new ABI upgrade left over
> >> some typos/flaws.
>
> I applied a couple of fixes, which are blind because I don't
> have access to dns here.  Please check.

I think we need to find out how an uninitialized SlapReply found its way into
this search function. That should cause problems for all the code, not just
back-dnssrv/search.c. Setting rs->sr_ref to NULL here is only masking the
real bug.

> I note that the compare
> function also asserted manageDSAit, but it is not set in the
> bi_info structure because it's not implemented; I don't know
> if it'll ever be useful, so I don't think we need to implement it.

Right, I have no idea what was ever intended for it. If it's never going to
be implemented we should just cvs rm the file. Kurt?

> I'd also like to integrate back-dnssrv into back-ldap, so that
> it can be configured with (empty?) suffix and default uri, and
> try to resolve the actual URI, but chasing the referral on behalf
> of the client, resorting to the default URI in case of no match.

> Maybe this operation might be stacked on top of back-ldap ...

Sounds like a good approach. But there are security considerations here as
far as how the referral should be chased. Since dnssrv can return a referral
to basically any LDAP server in the world, we should never use the current
"rebind-as-user" code. The chain config should have a set of URIs for which
mutual trust exists, with credentials for binding to each of them. Any other
URIs are by definition untrusted, and should be chased anonymusly.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support