[
https://issues.apache.org/jira/browse/DIRSERVER-1651?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13094881#comment-13094881
]
Howard Chu commented on DIRSERVER-1651:
---------------------------------------
There is nothing to be gained from maliciously spoofing the cookie, since the
operation is part of a regular Search request. I.e., the client can only ever
retrieve any information that server authorizations would already allow the
client to see.
Indeed, slapd's -c option allows a sysadmin to set any cookie value at all;
this is intended to be used to force a consumer to re-pull data from an older
point in time, in case more recent data was lost/curropted/whatever.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
> rfc 4533 implementation differences between openldap and apacheDS
> -----------------------------------------------------------------
>
> Key: DIRSERVER-1651
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1651
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap
> Affects Versions: 2.0.0-M2
> Reporter: Hajo Kliemeck
> Labels: 4533, openldap, syncrepl
>
> Tthere is an incompatibility between the RFC 4533 implementation of apacheDS
> and openldap.
> openldap uses the cookie structure "rid=<replicaId>" (initial) or
> "rid=<replicaId>,csn=<Csn value>" (update) while apacheDS is using NULL for
> the initial state and the structure "<replicaId>;<Csn value>" for the update
> state. in the RFC its said:
> {quote}
> The absence of a cookie or an initialized synchronization state in a cookie
> indicates a request for initial content.....
> {quote}
> first is apacheDS like, second is openldap like
> It should be possible to adapt the structure or the behavior.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
