DO NOT REPLY [Bug 46698] New: invalid default sizelimit in ldap searches

Wed, 11 Feb 2009 13:08:26 -0800 

https://issues.apache.org/bugzilla/show_bug.cgi?id=46698

           Summary: invalid default sizelimit in ldap searches
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P3
         Component: mod_auth_ldap
        AssignedTo: [email protected]
        ReportedBy: [email protected]


mod_auth_ldap on OpenVMS won't authenticate users against a modern OpenLDAP
installation.

I am using the Apple Open Directory implementation of OpenLDAP from Mac OSX
Server 10.5.6

The function for LDAP authentication is uldap_cache_getuserdn which in turn
uses the function ldap_search_ext_s to do the uid search portion.

In modules/ldap/util_ldap.c, ldap_search_ext_s is called as follows: (revision
737582 ( https://svn.apache.org/viewcvs.cgi?view=rev&rev=737582 ) from 2.3-HEAD)

    result = ldap_search_ext_s(ldc->ldap, (char *)reqdn, LDAP_SCOPE_BASE,
                               "(objectclass=*)", NULL, 1,
                               NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res);

and from the top of util_ldap.c:

        #ifndef APR_LDAP_SIZELIMIT
        #define APR_LDAP_SIZELIMIT -1
        #endif

Older revisions (httpd 2.2.5 and before) use a static -1 in place of
APR_LDAP_SIZELIMIT.

>From ldap.h (OpenLDAP), here is the parameters for ldap_search_ext_s:

    ldap_search_ext_s LDAP_P((
            LDAP                    *ld,
            LDAP_CONST char *base,
            int                             scope,
            LDAP_CONST char *filter,
            char                    **attrs,
            int                             attrsonly,
            LDAPControl             **serverctrls,
            LDAPControl             **clientctrls,
            struct timeval  *timeout,
            int                             sizelimit,
            LDAPMessage             **res ));


So the value '-1' is passsed as the sizeLimit parameter from the client
(mod_auth_ldap) to the server (OpenLDAP).

This seems to work for a lot of client / server combinations, however it is not
working here.

According to RFC 4511 (section 4.5.1 ),  sizelimit is an unsigned integer
between 0 and maxInt.  A value of zero indicates no size limit.

Would it make sense to change the default APR_LDAP_SIZELIMIT to 0?  I welcome
any other feedback...

Thanks,

Matt


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to