ondra@mistotebe.net wrote:
On Wed, Apr 05, 2017 at 04:14:12PM +0200, Michael Ströder wrote:
ondra@mistotebe.net wrote:
On Wed, Apr 05, 2017 at 07:32:46AM -0400, Frank Swasey wrote:
Thanks for the patch to provide a test script that just shows the same thing.
I see two possible solutions:
- replacing the same attribute twice in the same modify LDIF is illegal
(as it was in older releases)
AFAIK, LDAP doesn't forbid it so I don't see that going away.
Yes, there's no text in RFC 4511 which forbids this: https://tools.ietf.org/html/rfc4511#section-4.6
However personally I consider LDAP clients sending modify requests like this to be broken/mis-behaving. (And I'd like to know which LDAP clients were causing this ITS.)
I'm not saying it's common or good practice ;)
=> There could be a slapd per-backend configuation directive to disallow it with a strong hint in the docs recommending to disallow it when using delta-syncrepl.
Suggestion: disallow mod_attr_repeated
In my view, that's more pain than it's worth.
Hmm, I think slapd should be able to disallow a crazy modify request like this:
dn: cn=foobar,dc=example,dc=com changetype: modify replace: description description: foobar1 - replace: description description: foobar2 - .. replace: description description: foobar1000 -
Ciao, Michael.
-
michael@stroeder.com