openldap-bugs

openldap-bugs@openldap.org

1 participants
20964 discussions

Re: (ITS#5472) ldap_get_values() should handle paged results from LDAP/AD
by Kurt＠OpenLDAP.org 26 Jan '11

26 Jan '11

On Jan 26, 2011, at 9:15 AM, masarati(a)aero.polimi.it wrote: > The complexity of handling this nonsense in libldap seems not worth = the > effort; Ando, you are too kind to refer this extension as 'nonsense'. It's = worse than nonsense, it's crap. The spec you pointed at says: "LDAP servers often place limits on the = maximum number of attribute values that can be retrieved in a single = query." The spec fails to say why would a server want to do that. I = cannot think of any good reason to do precisely that. While I can = understand a desire to place limits on what clients can retrieve, I = don't see why one would distinguish between a single query and a set of = queries. I can also see it desirable to allow a client to page through = results (but that's a different matter, this is about forcing paging = onto clients). It is incredibly stupid to require clients to use multiple operations to = obtain information for which the protocol allowed to be fetched in a = single operation, and this is why I refer to this as "crap". A major problem with paging, whether server-forced or at client-option, = is result set coherency due to changes to the DIT between when various = page operations are obtain. This can lead to problems such a member of = a group not appearing in the results. While one might argue client = might be able to reasonable deal with coherency issues, most client = developers won't. This will lead to a range of security issues creeping = into directory applications. So while I don't generally oppose introduction of paging extensions at = the client option, I think the specifications should warn that the = clients using them need to be designed to handle data coherency issues. = However, most designers of such extensions seem to have put no thought = into this issue at all. I do generally oppose introduction of non-truly optional extensions in = LDAP (and in other application protocols). One would think that a = requirement that extensions to a protocol be truely optional would go = without saying, but in IETF we actually found it necessary to explicitly = state this in the BCP governing LDAP extensions. That BCP will effectively stop non-truly optional extension proposal as = this from gaining Standard Track status in the IETF. > I think we might consider working this around in proxy backends > (much like we did for unsolicited paged results response in back-meta, > ITS#6664, which could be added to back-ldap as well). I would think it easier to reconfigure AD not to have the limits which = cause this sort of paging. > I don't think implementing something that requires a theoretically > unbounded number of nested search requests for each attribute value = that > contains a range in each SearchResultEntry message makes sense. >=20 > The parallel with referrals is not appropriate, since referrals are = part > of LDAP specification; also, please note that automatic referral = chasing > is strongly discouraged unless the transport layer is protected = (Section 6 > of RFC 4511). >=20 > p.

1 0

ITS#5472
by masarati＠aero.polimi.it 26 Jan '11

26 Jan '11

For future reference, if needed: <http://msdn.microsoft.com/en-us/library/aa367017(v=vs.85).aspx>

1 0

Re: (ITS#5472) ldap_get_values() should handle paged results from LDAP/AD
by masarati＠aero.polimi.it 26 Jan '11

26 Jan '11

> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I'd like to reopen the discussion on this issue. We're hitting this same > problem with the SSSD when dealing with ActiveDirectory. It really > doesn't make sense to me that every consumer of the OpenLDAP libraries > should be required to reimplement this (admittedly incorrect) extension > to ActiveDirectory. > > As Petter suggested in his comment from April 21, 2008, ActiveDirectory > provides a server control to identify that the feature is in play. > > I feel that it would be beneficial to OpenLDAP's library consumers if > they handled range lookups automatically and internally, similar to the > way that referrals are chased. > > Consumers of the OpenLDAP API should be able to reliably assume that if > they ask for the set of values for an attribute of a completed request, > that they will get back all of the values. > > Please reconsider adding this support into OpenLDAP. The complexity of handling this nonsense in libldap seems not worth the effort; I think we might consider working this around in proxy backends (much like we did for unsolicited paged results response in back-meta, ITS#6664, which could be added to back-ldap as well). I don't think implementing something that requires a theoretically unbounded number of nested search requests for each attribute value that contains a range in each SearchResultEntry message makes sense. The parallel with referrals is not appropriate, since referrals are part of LDAP specification; also, please note that automatic referral chasing is strongly discouraged unless the transport layer is protected (Section 6 of RFC 4511). p.

1 0

Re: (ITS#5472) ldap_get_values() should handle paged results from LDAP/AD
by sgallagh＠redhat.com 26 Jan '11

26 Jan '11

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'd like to reopen the discussion on this issue. We're hitting this same problem with the SSSD when dealing with ActiveDirectory. It really doesn't make sense to me that every consumer of the OpenLDAP libraries should be required to reimplement this (admittedly incorrect) extension to ActiveDirectory. As Petter suggested in his comment from April 21, 2008, ActiveDirectory provides a server control to identify that the feature is in play. I feel that it would be beneficial to OpenLDAP's library consumers if they handled range lookups automatically and internally, similar to the way that referrals are chased. Consumers of the OpenLDAP API should be able to reliably assume that if they ask for the set of values for an attribute of a completed request, that they will get back all of the values. Please reconsider adding this support into OpenLDAP. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1AQQgACgkQeiVVYja6o6OACwCgg4t5Mm54X+ohYzhvG9fRBMTb gO4An0j/152a0PHFMTxTIuQ6kamlcsFb =3a3m -----END PGP SIGNATURE-----

1 0

Re: (ITS#6752) slapo-dynlist issues
by h.b.furuseth＠usit.uio.no 25 Jan '11

25 Jan '11

Charles Owens writes: > Would you characterize this as being a fix for stability, performance, > or some of both? Both, plus code cleanup with no user-visible effect. HEAD dynlist.c rev 1.72 = performance & cleanup, 1.73-1.74 = fixes, 1.75 = cleanup. If you're cherry-picking recent changes, you might as well grab the fix 1.76 for ITS#6758 as well. -- Hallvard

1 0

Re: (ITS#6803) LDAP Server
by quanah＠zimbra.com 24 Jan '11

24 Jan '11

--On Sunday, January 23, 2011 12:09 PM +0000 kashif.hameed(a)vopium.com wrote: > Full_Name: Kashif Hameed > Version: 2.3.8 > OS: centos5.5 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (203.215.176.22) > > > I am installing and configuring ldap server with authentication samba but > i am unable to do this because with samba authentication it will return > error > > /usr/sbin/smbldap-passwd: user root doesn't exist > > so could any one help me regarding this issue The OpenLDAP project is not the Samba project. Samba questions should be directed to the Samba project. This ITS will be closed. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

(ITS#6804) 'self' access modifier only works for first entry
by djpohly＠gmail.com 23 Jan '11

23 Jan '11

Full_Name: Devin J. Pohly Version: 2.4.23 OS: Linux URL: http://openldap.pastebin.com/gvswpxLX Submission from: (NULL) (98.235.33.55) Description: I have set up an LDAP directory which contains users and flat groups (groupOfNames/member style). I want to use the access controls to only allow users to see their own groups and membership, so I defined the following controls: access to dn.onelevel="ou=group,o=org" attrs=entry by dnattr=member read access to dn.onelevel="ou=group,o=org" attrs=member by dnattr=member selfread Steps to reproduce: 1. Start a new instance of OpenLDAP with the slapd.conf file provided at <http://openldap.pastebin.com/gvswpxLX> and an empty database. 2. Get grouptest.ldif from <http://openldap.pastebin.com/X1DUyGmf> and add it to the directory: ldapadd -x -H $LDAPURI -D uid=admin,o=org -w admin -f grouptest.ldif This creates two users, foo and bar, and two groups, g1 and g2. Each user is in both groups. 3. Compare the outputs of: ldapsearch -x -H $LDAPURI -D uid=foo,ou=user,o=org -w foo -b ou=group,o=org ldapsearch -x -H $LDAPURI -D uid=bar,ou=user,o=org -w bar -b ou=group,o=org Expected results: Foo's query shows "member: foo" for both g1 and g2. Bar's query shows "member: bar" for both g1 and g2. Actual results: Foo's query shows "member: foo" for both g1 and g2. Bar's query does not show any member attributes. Note: Changing the order in which the users are listed changes the behavior; only the first user listed matches 'self'. Changing the 'selfread' privilege to 'read' behaves correctly: both queries display both users' memberships in the groups. So the problem lies somewhere in the way the 'self' modifier is implemented.

1 0

(ITS#6803) LDAP Server
by kashif.hameed＠vopium.com 23 Jan '11

23 Jan '11

Full_Name: Kashif Hameed Version: 2.3.8 OS: centos5.5 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (203.215.176.22) I am installing and configuring ldap server with authentication samba but i am unable to do this because with samba authentication it will return error /usr/sbin/smbldap-passwd: user root doesn't exist so could any one help me regarding this issue Thanks

1 0

Re: (ITS#6794) slapadd -q problems on glued databases
by Ralf Haferkamp 21 Jan '11

21 Jan '11

I just committed a fix and a testcase (to the regression directory) for this to HEAD. Please test.

1 0

(ITS#6802) Patch - Mozilla NSS - restart modules before NSS_Init after a fork()
by rmeggins＠redhat.com 21 Jan '11

21 Jan '11

Full_Name: Rich Megginson Version: 2.4.23 (current CVS HEAD) OS: RHEL6 URL: ftp://ftp.openldap.org/incoming/openldap-2.4.23-secmod-restartmodules-20110… Submission from: (NULL) (76.113.111.209) NSS enforces the pkcs11 requirement that modules should be unloaded after a fork() - since there is no portable way to determine if NSS has been already initialized in a parent process, we just call SECMOD_RestartModules with force == FALSE before doing any NSS initialize calls - if the module has been unloaded due to a fork, it will be reloaded, otherwise, it is a no-op. These patch files are derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Red Hat. Red Hat has not assigned rights and/or interest in this work to any party. I, Rich Megginson am authorized by Red Hat, my employer, to release this work under the following terms. Red Hat hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs