apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: APR_LDAP_OPT_REFHOPLIMIT and OpenLDAP
Date Fri, 16 Jan 2009 20:02:10 GMT
Jeff Trawick wrote:

> With Ubuntu's packaging of OpenLDAP 2.4.9 and whatever OpenLDAP is in 
> Leopard.latest, LDAP_OPT_REFHOPLIMIT is defined in ldap.h but the 
> library returns an error when trying to set it to 5 (httpd LDAP's 
> default value).  This is apparently a wide-spread issue 
> (http://article.gmane.org/gmane.network.openldap.devel/3619).
> 
> The intent in apr_ldap_set_option() is apparently to ignore lack of 
> support for LDAP_OPT_REFHOPLIMIT, but that is implemented with this 
> compile-time check:
> 
> #if !defined(LDAP_OPT_REFHOPLIMIT) || APR_HAS_NOVELL_LDAPSDK
> 
> How to handle...  Ignore failures and return success if 
> LDAP_OPT_REFHOPLIMIT defined but the set fails?
> 
> (As an aside, this busts httpd trunk's LDAP auth with these libraries 
> until you set LDAPReferrals Off.)

I suspect the right way to fix this is for APR to be honest about the 
support for LDAP_OPT_REFHOPLIMIT - if the compile time test determines 
that REFHOPLIMIT is either truly unsupported or broken, the attempt 
should return APR_ENOTIMPL.

If it succeeds, it should return APR_SUCCESS, and if it fails it should 
return a corresponding error message.

Clients in turn (starting with mod_authnz_ldap) should then behave 
intelligently to the success/notimpl/fail as would make sense for the app.

So in other words, if it succeeds, all well and good. If it fails, 
return an error. If unimplemented, shrug shoulders and silently ignore 
the call.

This makes sure that we don't lose the ability to detect a legitimate 
failure.

Regards,
Graham
--

Mime
View raw message