On 25/10/2019 18:41, Howard Chu wrote:
philip.brusten@kuleuven.be wrote:
That fix was based on (old?) documentation of MS from https://msdn.microsoft.com/en-us/library/aa366979%28v=vs.85%29.aspx The is no current version of this document.
The above URL redirects me to https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/ldap...
Our implementation conforms to the above spec.
Correct, but the URL path contains "previous-versions", hence I was looking for the current version, which does not exist.
This is the correct response to a malformed message according to RFC4511.
Could you please quote the RFC4511 on this? This is not 100% clear to me...
The LDAP Extended Control spec of MS states [2]:
If the controlValue field contains data that is not in conformance with the specification of the control, including the case where the controlValue field contains data and the specification of the control states that the controlValue field is omitted, then if the control is marked critical the server returns the error unavailableCriticalExtension / ERROR_INVALID_PARAMETER. If the controlValue field is incorrect but the control is not marked critical, the server ignores the control.
MS seems to be inventing their own protocol here since RFC4511 contains no such language.
So the server should only return an error when the control is marked critical. Otherwise it should *ignore* the control.
Is it possible to relax the validation of the LDAP control at [3]? Since there is no value associated with this control, it should not matter if the controlValue is missing or an empty octet string {0,NULL}...
The ldapsearch code sets the controlValue to [4]:
c[i].ldctl_value.bv_val = NULL; c[i].ldctl_value.bv_len = 0;
We observed that the controlValue is than missing via Wireshark. So we see a difference on the line for empty octet strings, but should it matter?
Yes, in ASN.1 "empty value" and "absent value" are not the same thing. E.g., you can store zero-length strings as attribute values. Those values are "present" even though they are empty.
IMHO Microsoft and OpenLDAP are doing the same thing on a protocol level. You are both setting the controlValue to a struct {0,NULL}.
However with Microsoft, this is still translated to the network level, whereas with OpenLDAP this controlValue is omitted.
The "value" of the "controlValue" struct is however still NULL. So it's not clear to me why it's translated to empty, not null. (is there an somewhere an assumption that translates zero-length octet string to non null values?)
MS is playing fast and loose with their specifications and implementation. This is at the very least a doc bug in their control specification, if it's not just a bug in their client libraries. You should at least open a bug report with them so that it's on the record somewhere (even if they ultimately ignore it).
We can alter our parser to relax this check, I guess. Along with a comment explaining that this is done for compatibility with MS's broken clients. This is not the first time we've run into MS spec and implementation disagreeing with each other...
We will submit the issue to MS. But in the case of this domainScope control, it should not matter if the value is empty or missing, only the controlType is relevant. Could Postel's law be applied in this case?
Regards,
Philip