Re: (ITS#5980) libldap referral chasing now returns referral (10) and matchedDN - openldap-bugs

3 Mar 2009


      Pierangelo Masarati wrote:
...
hyc@symas.com wrote:
...
ando@sys-net.it wrote:
...
Full_Name: Pierangelo Masarati
Version: HEAD/re24
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (82.63.140.131)
Submitted by: ando
Probably a side-effect of fixing ITS#5853: when setting LDAP_OPT_REFERRALS,
libldap automatically chases any referrals, but at the end returns a response
with ld_errno set to 10 and ld_matched set to the portion of DN that was matched
in the initial request.  This is because the corresponding fields in the parent
request are not cleared when the referral is successfully chased.  I'm trying to
fix this, but it's not clear to me when success should be detected: at
successful referral chasing request submission, I guess?
When does this behavior? It doesn't show up in e.g. test009...
If you have a subordinate reference in server1 that points to server2
and you search server1 using the DN of the subordinate reference.  What
I do is:

fire test003

create a slapd.2.conf with suffix "ou=Other,dc=example,dc=com"

populate server1 with


dn: ou=Other,dc=example,dc=com
objectClass: referral
objectClass: extensibleObject
ou: Other
ref: ldap://:9012/ou=Other,dc=example,dc=com

populate server2 with

dn: ou=Other,dc=example,dc=com
objectClass: organizationalUnit
ou: Other
dn: cn=Foo Bar,ou=Other,dc=example,dc=com
objectClass: device
cn: Foo Bar

search server1 for "ou=Other,dc=example,dc=com"

According to libldap/request.c this test is invalid; find_connection will not 
match URLs with empty hostname. That code has been like that for several 
years. Perhaps the test for empty hostname should be dropped, but in real 
deployments a referral to localhost doesn't make a lot of sense anyway.
...
Apparently, test009 is only testing the superior reference.  test016
tests subordinate references, but without even trying -C.  I think the
test should be modified to be run once without and once with -C in order
to test the library's behavior.  I believe automatic referral chasing
should be deprecated, but I fear there are tons of code out there that
rely on it.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/