(ITS#7353) Handling request controls that include spurious control values - openldap-bugs

14 Aug 2012


      Full_Name: Matthew Hardin
Version: 2.4.32
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (69.43.206.100)
Some clients, like Oracle SGD, incorrectly implement the password policy request
control by including a zero-length control value with the request control.
OpenLDAP reports "passwordPolicyRequest control value not absent" and fails the
operation with a Protocol Error (2). While this behavior follows the letter of
RFC 4511, the control value in this case is zero-length and therefore harmless.
Failing in this case seems merely punctilious, and has no real benefit. For
reference, OpenLDAP 2.3 allowed a zero-length control value.
While I don't believe it's acceptable for clients to present malformed controls,
I do think it's sufficient, at least in this case, to log a warning and continue
processing the request.
For reference, the BER dump below shows the bind request containing the
incorrectly-formatted password policy request control as well as the various
stages of parsing. The request in this case comes from Oracle SGD 4.62.913.
ber_get_next: tag 0x30 len 89 contents:
ber_dump: buf=101fd8f00 ptr=101fd8f00 end=101fd8f59 len=89
 0000:  02 01 01 60 33 02 01 03  04 27 63 6e 3d 70 70 6f   ...`3....'cn=ppo  
 0010:  6c 69 63 79 74 73 74 2c  6f 75 3d 50 6f 6c 69 63   licytst,ou=Polic  
 0020:  69 65 73 2c 64 63 3d 76  73 6f 2c 64 63 3d 63 6f   ies,dc=vso,dc=co  
 0030:  6d 80 05 61 61 61 61 61  a0 1f 30 1d 04 19 31 2e   m..aaaaa..0...1.  
 0040:  33 2e 36 2e 31 2e 34 2e  31 2e 34 32 2e 32 2e 32   3.6.1.4.1.42.2.2  
 0050:  37 2e 38 2e 35 2e 31 04  00                        7.8.5.1..         
502a936b op tag 0x60, time 1344967531
ber_get_next
502a936b conn=1001 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=101fd8f00 ptr=101fd8f03 end=101fd8f59 len=86
 0000:  60 33 02 01 03 04 27 63  6e 3d 70 70 6f 6c 69 63   `3....'cn=ppolic  
 0010:  79 74 73 74 2c 6f 75 3d  50 6f 6c 69 63 69 65 73   ytst,ou=Policies  
 0020:  2c 64 63 3d 76 73 6f 2c  64 63 3d 63 6f 6d 80 05   ,dc=vso,dc=com..  
 0030:  61 61 61 61 61 a0 1f 30  1d 04 19 31 2e 33 2e 36   aaaaa..0...1.3.6  
 0040:  2e 31 2e 34 2e 31 2e 34  32 2e 32 2e 32 37 2e 38   .1.4.1.42.2.27.8  
 0050:  2e 35 2e 31 04 00                                  .5.1..            
ber_scanf fmt (m}) ber:
ber_dump: buf=101fd8f00 ptr=101fd8f31 end=101fd8f59 len=40
 0000:  00 05 61 61 61 61 61 a0  1f 30 1d 04 19 31 2e 33   ..aaaaa..0...1.3  
 0010:  2e 36 2e 31 2e 34 2e 31  2e 34 32 2e 32 2e 32 37   .6.1.4.1.42.2.27  
 0020:  2e 38 2e 35 2e 31 04 00                            .8.5.1..          
502a936b => get_ctrls
ber_scanf fmt ({m) ber:
ber_dump: buf=101fd8f00 ptr=101fd8f3a end=101fd8f59 len=31
 0000:  30 1d 04 19 31 2e 33 2e  36 2e 31 2e 34 2e 31 2e   0...1.3.6.1.4.1.  
 0010:  34 32 2e 32 2e 32 37 2e  38 2e 35 2e 31 04 00      42.2.27.8.5.1..   
ber_scanf fmt (m) ber:
ber_dump: buf=101fd8f00 ptr=101fd8f57 end=101fd8f59 len=2
 0000:  00 00                                              ..                
502a936b => get_ctrls: oid="1.3.6.1.4.1.42.2.27.8.5.1" (noncritical)
502a936b <= get_ctrls: n=1 rc=2 err="passwordPolicyRequest control value not
absent"
502a936b send_ldap_result: conn=1001 op=0 p=3
502a936b send_ldap_response: msgid=1 tag=97 err=2
As an aside, the error text left me scratching my head and reading the source
code to figure out what was meant. Each of the other request control handlers
that doesn't require/allow a control value has a similar message. Could we
change these messages to:
{Warning|Error}: Spurious <control name here> control value found in request.
Comments?