Re: (ITS#6163) back-sql DoS when searching for empty attr
by masarati@aero.polimi.it
The bug is in the fact that (cn=) is an invalid filter, because cn's
syntax is directoryString, which does not allow the empty string. As
such, the filter evaluates to undefined, and this is not properly handled
by back-sql. A fix is in HEAD, please test (you only need to patch
back-sql/search.c and the patch should apply to almost any OpenLDAP 2.4
version).
p.
14 years, 4 months
Re: (ITS#6217) proxycache not returning cached data
by masarati@aero.polimi.it
As far as I recall, this is a known issue, although I could not locate
early postings discussing this issue. What happens is that proxy cache
makes use of the first item in the filter to discriminate between
responses. In your filter template, the first item is the objectClass
equality, which means that any filter with that objectClass value,
regardless of the uid value, is treated as a duplicate of the first one.
If you reverse the order of the equality filters you'll get the expected
behavior. There should be another open ITS for this issue, but I can't
locate it right now.
p.
14 years, 4 months
Re: (ITS#6152) proxycache enhancements
by hyc@symas.com
masarati(a)aero.polimi.it wrote:
> Just in case, before it becomes totally incompatible with HEAD code, I
> have a patch I never committed, it's about making pcache admin-friendly if
> it makes any sense.
>
> It adds:
>
> - a (persistent) counter that reports, for each query, how many times it
> evaluated to answerable
>
> - "proxycache-" prefixed statements are passed to the private database.
> This allows to avoid ambiguities when applying general database directives
> in slapd.conf. In fact, it is not clear whether they apply to the proxy
> database or to the cache database.
>
> If they make sense, I'd like to commit them before slapo-pcache
> enhancement begins.
Go ahead!
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
14 years, 4 months