apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Trawick" <traw...@gmail.com>
Subject Re: APR_LDAP_OPT_REFHOPLIMIT and OpenLDAP
Date Mon, 19 Jan 2009 22:29:54 GMT
On Fri, Jan 16, 2009 at 3:02 PM, Graham Leggett <minfrin@sharp.fm> wrote:

> Jeff Trawick wrote:
>
>  With Ubuntu's packaging of OpenLDAP 2.4.9 and whatever OpenLDAP is in
>> Leopard.latest, LDAP_OPT_REFHOPLIMIT is defined in ldap.h but the library
>> returns an error when trying to set it to 5 (httpd LDAP's default value).
>>  This is apparently a wide-spread issue (
>> http://article.gmane.org/gmane.network.openldap.devel/3619).
>>
>> The intent in apr_ldap_set_option() is apparently to ignore lack of
>> support for LDAP_OPT_REFHOPLIMIT, but that is implemented with this
>> compile-time check:
>>
>> #if !defined(LDAP_OPT_REFHOPLIMIT) || APR_HAS_NOVELL_LDAPSDK
>>
>> How to handle...  Ignore failures and return success if
>> LDAP_OPT_REFHOPLIMIT defined but the set fails?
>>
>> (As an aside, this busts httpd trunk's LDAP auth with these libraries
>> until you set LDAPReferrals Off.)
>>
>
> I suspect the right way to fix this is for APR to be honest about the
> support for LDAP_OPT_REFHOPLIMIT - if the compile time test determines that
> REFHOPLIMIT is either truly unsupported or broken, the attempt should return
> APR_ENOTIMPL.


Since OpenLDAP defines the option but (at least in common levels) fails the
option at run-time, I guess you mean a configure test instead of a compile
test, using a test program that sets proceeds far enough along with the LDAP
setup to see if LDAP_OPT_REFHOPLIMIT works?

At some point a run-time check has to decide that LDAP_OPT_ERR from
ldap_set_option(..,LDAP_OPT_REFHOPLIMIT...) means not-implemented.
 Alternatively, many apps should just decide that a failure of that option
is not important.

Mime
View raw message