mhardin@symas.com wrote:

Some additional information:

Some objects being returned from AD have very large multi-valued attributes (for example, member). AD is returning them in the ";range" format, but they are not getting past back-meta. For example, a direct search for the object in AD will return stuff like this:

member;range=0-1499: CN=Alice Bar,OU=My-Company-Accounts,OU=User Accounts,OU=Common,DC=my-company,DC=com

but doing the same search through slapd/back-meta using the same credentials, the member attribute is not displayed at all. There are no attribute maps in place that would cause this.

Apparently, that was it: back-meta (and back-ldap) was ignoring attribute names that cannot be parsed, but it was not discarding their values. Should be fixed now in HEAD. Please test.

BTW, it seems that proxy backends could try to exploit this in order to intercept value ranges returned by AD and consolidate them in a single, LDAP compliant entry. Not something I'm too excited about, though.

p.

Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------