Full_Name: Frederic Jacquot Version: 2.4.40 OS: Ubuntu 14.04.1 LTS URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (134.214.252.20)
Hi,
I think I discovered a bug with OpenLDAP 2.4.40, using an mdb backend.
If you do a simple search request with no pagination and a SingleLevel (1) scope, everything is ok. But if you enable pagination for the same search, the base will also be returned in the search results. This breaks RFC 4511, paragraph 4.5.1.2 (SearchRequest.scope) :
"singleLevel: The scope is constrained to the immediate subordinates of the entry named by baseObject."
To reproduce the problem, I compiled a fresh OpenLDAP 2.4.40 with --enable-mdb. I then created a root entry :
dn: dc=my-domain,dc=com objectClass: dcObject objectClass: organization dc: my-domain o : my-domain
You can now compare search results. This is for a simple search :
ldapsearch -s one -h localhost -b "dc=my-domain,dc=com" -w secret -D "cn=Manager,dc=my-domain,dc=com" # extended LDIF # # LDAPv3 # base <dc=my-domain,dc=com> with scope oneLevel # filter: (objectclass=*) # requesting: ALL #
# search result search: 2 result: 0 Success
Which is ok. This is the same query with paged results enabled :
ldapsearch -s one -h 134.214.182.252 -b "dc=my-domain,dc=com" -w secret -D "cn=Manager,dc=my-domain,dc=com" -E pr=100 # extended LDIF # # LDAPv3 # base <dc=my-domain,dc=com> with scope oneLevel # filter: (objectclass=*) # requesting: ALL # with pagedResults control: size=100 #
# my-domain.com dn: dc=my-domain,dc=com objectClass: dcObject objectClass: organization dc: my-domain o: my-domain
# search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.319 false MAUCAQAEAA== pagedresults: cookie=
# numResponses: 2 # numEntries: 1
The base object is returned, but shouldn't be.
This behaviour shows an endless recursive directory hierarchy in some LDAP browsers (sometimes crashing them). It can also create endless loops in some applications querying the LDAP server (Canon Uniflow in my case).
Regards,
Frederic Jacquot INSA Lyon