-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

I'd like to reopen the discussion on this issue. We're hitting this same problem with the SSSD when dealing with ActiveDirectory. It really doesn't make sense to me that every consumer of the OpenLDAP libraries should be required to reimplement this (admittedly incorrect) extension to ActiveDirectory.

As Petter suggested in his comment from April 21, 2008, ActiveDirectory provides a server control to identify that the feature is in play.

I feel that it would be beneficial to OpenLDAP's library consumers if they handled range lookups automatically and internally, similar to the way that referrals are chased.

Consumers of the OpenLDAP API should be able to reliably assume that if they ask for the set of values for an attribute of a completed request, that they will get back all of the values.

Please reconsider adding this support into OpenLDAP.

The complexity of handling this nonsense in libldap seems not worth the effort; I think we might consider working this around in proxy backends (much like we did for unsolicited paged results response in back-meta, ITS#6664, which could be added to back-ldap as well).

I don't think implementing something that requires a theoretically unbounded number of nested search requests for each attribute value that contains a range in each SearchResultEntry message makes sense.

The parallel with referrals is not appropriate, since referrals are part of LDAP specification; also, please note that automatic referral chasing is strongly discouraged unless the transport layer is protected (Section 6 of RFC 4511).

p.